How to map external uid/gid to non-root (0:0) uid/gid inside of container?

Up to now I’ve run docker containers inside Incus LXC containers via passing PUID=0/PGID=0 as environment variables in the docker compose file so that in conjunction with a incus config set <container> raw.idmap call so that the docker container can read/write the external folders I give it.

As far as I understand it, with the raw.idmap call I’m saying my external uid/gid of 1000/1000 is linked to the container’s internal root user of uid/gid of 0/0. From there, I tell docker to use the uid/gid of 0/0 for its internal user with PUID=0/PGID=0 and I’m good to go, I guess.

Unfortunately, Automatic Ripping Machine seems to use something else for the uid/gid alignment than the other docker containers I’ve ran into and it cannot set its internal arm user uid/gid to 0/0 because a root user already apparently exists in the docker container already. It gives this error when trying to start the docker container:

*** Running /etc/my_init.d/arm_user_files_setup.sh...
Updating arm user id from 1000 to 0...
usermod: UID '0' already exists
*** /etc/my_init.d/arm_user_files_setup.sh failed with status 4

How can I map my external uid/gid of 1000/1000 to not the container’s root user of 0/0 so that I can give the docker container an - ARM_UID=# - ARM_GID=# of not 0/0?

I am not sure how to even go about it - do I make a new user in the container and try to go from there? Is there a direct way via incus config calls?

Also, if there is a better way to achieve read/write access from within a container - let me know. I found the raw.idmap way via searching and it may be old or not the best for security or something.

I am running on Debian 12 so I do not have access to the shift=true option, also.

Here are the config calls I make to set up the instance “autoripper”, just in case any after are relevant.

printf "uid $(id -u) 0\ngid $(id -g) 0" | sudo incus config set autoripper raw.idmap -
sudo incus config device add autoripper config disk source=/config/autoripper path=/config/autoripper
sudo incus config device add autoripper compose disk source=/compose/autoripper path=/compose/autoripper
sudo incus config device add autoripper cache disk source=/cache/autoripper path=/cache/autoripper
sudo incus config device add autoripper media disk source=/mnt/rips/Media path=/rips/Media
sudo incus config device add autoripper music disk source=/mnt/rips/Music path=/rips/Music
sudo incus config device add autoripper http-forward proxy listen=tcp:0.0.0.0:8099 connect=tcp:127.0.0.1:8099

And here is the docker compose file for Automatic Ripping Machine, in case it is relevant:

services:
    autoripper:
        image: automaticrippingmachine/automatic-ripping-machine:latest
        container_name: autoripper
        environment:
          - PUID=0
          - PGID=0
          - ARM_UID=0
          - ARM_GID=0
          - TZ=America/Los_Angeles
        ports:
          - '8099:8080'
        devices:
          - '/dev/sr0:/dev/sr0'
        volumes:
          - '/config/autoripper:/etc/arm/config:rw'
          - '/cache/autoripper:/home/arm:rw'
          - '/cache/autoripper/logs:/home/arm/logs:rw'
          - '/rips/Music:/home/arm/Music:rw'
          - '/rips/Media:/home/arm/media:rw'
        privileged: true
        restart: unless-stopped

Thanks to the friendly community!

Got it, the call printf "uid $(id -u) 0\ngid $(id -g) 0" | sudo incus config set autoripper raw.idmap - has those 0’s to route it to the root user. I made a user with a UID of 1111 and a GID of 1111 then mapped to that. printf "uid $(id -u) 1111\ngid $(id -g) 1111" | sudo incus config set autoripper raw.idmap -

I can’t find a good explanation of its syntax but pieced it together eventually from Idmaps for user namespace - Incus documentation. Still happy to hear if there’s a better/safer way to achieve file stuff.