Hi @stgraber, I am new to LXD and I am trying to understand the implications and capabilities of using subuid/subgid ranges. I understand that, like Adrian mentions, a UID 1000 inside the container will be mapped to a UID 101000 in the host. Let’s say that the content of subuid and subgid files in the host define this entry:
then, the UID 0 in the container will be mapped to the user 100000 in the host, and UID 1000 will be mapped to 101000 in the host, so any process or file created inside the container will be shown as owned by that UID in the host. Then, does the “alice” user have any “ownership” or “capabilities” over those files and processes since the files/processes were created by a subordinate ID that belongs to “alice” user? Or why is the “100000:65536” range defined? What is it used for in relation to the “alice” user?
I have read https://ubuntu.com/blog/custom-user-mappings-in-lxd-containers page but I still don’t understand the implications of the subuid/subgid in Linux. I don’t understand why you need to add the same entries for both root and lxd user and group. Is there any reason why they both should be defined and have the same value?
Also, if you have some good documentation references about what does subuid/subgid do, please share it with me.
Appreciate your help, thanks!