Files owned by host 'root' (user:rw) show up as 'nobody' in container and can be deleted from container

New to LXD but kinda digging it.

Have an unprivileged container “c1” (Ubuntu server 22:04) running on Ubuntu 22:04. Added a host directory as device to container.

 lxc config device add c1 videos disk source=/mnt/mediashare/videos path=/mnt/videos

Mapped a host/container user (uid/gid = 1333) to be equal across host/container.
lxc config set c1 raw.idmap "both 1333 1333"
so container can read/write to host.

Files created on host as UID=1333 show up as UID=1333 in container, and vice versa, files created in container by UID=1333 show up as UID=1333 in host.

Files create as root or other users in container “c1” show up as uid:gid = 1000000:1000000 on host. So far so good.

However, files created by either other users (not 1333) or root (0) on host show up as nobody:nobody in the container (65534:65534), and can be deleted by either root or user 1333 in container.

Even though there are no critical OS files in the host share “/mnt/mediashare/videos”, this strikes me as a bit dangerous, particular for the root-owned files.

Can someone set me straight? Can the container honor the lack of write permissions on the host files? Or is it because the container is started by root it gains full power over host files?

Thanks in advance.

I’m sorry but given the recent actions from Canonical regarding LXD:

We really can’t be providing support to LXD users on this forum anymore.

You may want to consider switching to Incus instead, or if you’d like to stay on LXD, you should reach out on the Canonical forum instead.

Sorry about that!