I want to run several containers in parallel. I want all of them to be unprivileged, but have different uid/gid mappings. My idea is to create several users (one per container), then define uid/gid mappings for them in /etc/subuid and /etc/subgid, then write lxc.idmap line into container’s config.
The problem is that I don’t see how to start these containers with systemd.
Systemd contain lxc@guestname.service unit. It starts lxc-start and pass it a container name. Then lxc-start command line tool should read the username from the container’s config. But I don’t see such configuration parameter in man 5 lxc.container.conf
If I will start all containers as a root user, then they will all have the same ranges of subuid and subgid, and I afraid that this may open some vulnerability on crosscontainer access.
Your approach is fine and you can definitely do something like that but will indeed need your own systemd units to start those containers.
Another approach which is closer to what LXD does would be to carve out one very large allocation for the root user in /etc/subuid and /etc/subgid, then have all of your unprivileged containers defined in /var/lib/lxc with different lxc.idmap entries (pulling chunks from the big allocation).
As those will be started by root, the systemd unit should work just fine and the container itself will still be unprivileged.
But all two solutions proposed by you looks nonperfect. Why not to add such functionality into lxc-start?