New to LXD but kinda digging it.
Have an unprivileged container “c1” (Ubuntu server 22:04) running on Ubuntu 22:04. Added a host directory as device to container.
lxc config device add c1 videos disk source=/mnt/mediashare/videos path=/mnt/videos
Mapped a host/container user (uid/gid = 1333) to be equal across host/container.
lxc config set c1 raw.idmap "both 1333 1333"
so container can read/write to host.
Files created on host as UID=1333 show up as UID=1333 in container, and vice versa, files created in container by UID=1333 show up as UID=1333 in host.
Files create as root or other users in container “c1” show up as uid:gid = 1000000:1000000 on host. So far so good.
However, files created by either other users (not 1333) or root (0) on host show up as nobody:nobody in the container (65534:65534), and can be deleted by either root or user 1333 in container.
Even though there are no critical OS files in the host share “/mnt/mediashare/videos”, this strikes me as a bit dangerous, particular for the root-owned files.
Can someone set me straight? Can the container honor the lack of write permissions on the host files? Or is it because the container is started by root it gains full power over host files?
Thanks in advance.