Interestingly, I was able to get this working on an Ubuntu host but not on the Archlinux one, even with the standard linux
kernel.
Ubuntu
$ lxc config show c1
architecture: x86_64
config:
environment.LANG: en_US.UTF-8
environment.LC_COLLATE: POSIX
image.architecture: amd64
image.description: Ubuntu jammy amd64 (20220801_07:42)
image.os: Ubuntu
image.release: jammy
image.serial: "20220801_07:42"
image.type: squashfs
image.variant: default
raw.idmap: |
both 1003 1003
gid 1004 1004
security.nesting: "true"
security.syscalls.intercept.mknod: "true"
security.syscalls.intercept.setxattr: "true"
volatile.base_image: 28a4d7df8557cba690b1cc3f11585bfebe8e904fb7abf9e8eb621894da96fed6
volatile.cloud-init.instance-id: dbf64754-aaf4-4a43-82a7-b0c1df237479
volatile.eth0.host_name: veth28601199
volatile.eth0.hwaddr: 00:16:3e:75:7b:14
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":1001004,"Nsid":1004,"Maprange":999998996},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1004,"Nsid":1004,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1001005,"Nsid":1005,"Maprange":999998995}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":1001004,"Nsid":1004,"Maprange":999998996},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1004,"Nsid":1004,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1001005,"Nsid":1005,"Maprange":999998995}]'
volatile.last_state.idmap: '[]'
volatile.last_state.power: RUNNING
volatile.uuid: 022d6f84-4f61-423f-b178-5a5c8d9f28c9
devices:
docker:
path: /var/lib/docker
pool: docker
source: c1
type: disk
home:
path: /home/four
source: /home/four/
type: disk
shared:
path: /mnt/shared
source: /mnt/shared
type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
Archlinux
$ sudo lxc config show c1
architecture: x86_64
config:
environment.LANG: en_US.UTF-8
environment.LC_COLLATE: POSIX
image.architecture: amd64
image.description: Ubuntu jammy amd64 (20220801_07:42)
image.os: Ubuntu
image.release: jammy
image.serial: "20220801_07:42"
image.type: squashfs
image.variant: default
raw.idmap: |
both 1003 1003
gid 1004 1004
security.nesting: "true"
security.syscalls.intercept.mknod: "true"
security.syscalls.intercept.setxattr: "true"
volatile.base_image: 28a4d7df8557cba690b1cc3f11585bfebe8e904fb7abf9e8eb621894da96fed6
volatile.cloud-init.instance-id: 02fe5c34-5072-4e40-afbb-e835a7de03b1
volatile.eth0.host_name: vetha0a1f7de
volatile.eth0.hwaddr: 00:16:3e:b1:1b:90
volatile.eth0.name: eth0
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":101004,"Nsid":1004,"Maprange":64532},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1004,"Nsid":1004,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":101005,"Nsid":1005,"Maprange":64531}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":101004,"Nsid":1004,"Maprange":64532},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1004,"Nsid":1004,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":101005,"Nsid":1005,"Maprange":64531}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":101004,"Nsid":1004,"Maprange":64532},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":1003},{"Isuid":true,"Isgid":true,"Hostid":1003,"Nsid":1003,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":1004,"Nsid":1004,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":101005,"Nsid":1005,"Maprange":64531}]'
volatile.last_state.power: STOPPED
volatile.uuid: 4ffa4e66-0ee5-4b8c-a0aa-d15c47ab0bd6
devices:
docker:
path: /var/lib/docker
pool: docker
source: c1
type: disk
home:
path: /home/four
source: /home/four/
type: disk
shared:
path: /mnt/shared
source: /mnt/shared
type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
They were set up the same way For example:
sudo adduser two
sudo adduser three
sudo adduser four
Which resulted in /etc/passwd
on host:
one:x:1000:1000:one,,,:/home/one:/bin/bash
two:x:1001:1001:,,,:/home/two:/bin/bash
three:x:1002:1002:,,,:/home/three:/bin/bash
four:x:1003:1003:,,,:/home/four:/bin/bash
Then I added a shared group:
sudo groupadd -g 1004 shared
sudo gpasswd -a one shared
sudo gpasswd -a two shared
sudo gpasswd -a three shared
sudo gpasswd -a four shared
In /etc/groups
:
one:x:1000:
two:x:1001:
three:x:1002:
four:x:1003:
shared:x:1004:one,two,three,four
The host sub{uid,gid}:
$ cat /etc/subuid
one:100000:65536
two:165536:65536
three:231072:65536
four:296608:65536
$ cat /etc/subgid
one:100000:65536
two:165536:65536
three:231072:65536
four:296608:65536
Finally i added the extra group
sudo tee -a /etc/subgid <<EOF
shared:362145:1
EOF
Standard setup:
$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: no
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (ceph, btrfs, dir, lvm, zfs) [default=zfs]: btrfs
Create a new BTRFS pool? (yes/no) [default=yes]: yes
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=5GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like the LXD server to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]:
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
$ sudo lxc launch images:ubuntu/22.04 c1
$ sudo lxc storage create docker btrfs
$ sudo lxc storage volume create docker c1
$ sudo lxc config device add c1 docker disk pool=docker source=c1 path=/var/lib/docker
$ sudo lxc config set c1 security.nesting=true \
security.syscalls.intercept.mknod=true \
security.syscalls.intercept.setxattr=true
$ sudo lxc config set c1 environment.LANG en_US.UTF-8
$ sudo lxc config set c1 environment.LC_COLLATE POSIX
$ sudo mkdir -p /mnt/shared && sudo chown -R root:shared /mnt/shared
$ sudo chmod g+s /mnt/shared
$ sudo lxc config device add c1 home disk source=/home/four/ path=/home/four
$ sudo lxc config device add c1 shared disk source=/mnt/shared path=/mnt/shared
$ lxc exec c1 bash
# groupadd -g 1003 four
# groupadd -g 1004 shared
# useradd -u 1003 -g 1003 -G shared four
exit
Finally add the idmap.raw
and restart:
printf "both 1003 1003\ngid 1004 1004\n" | sudo lxc config set c1 raw.idmap -
systemctl reload snap.lxd.daemon