Mounted folder is nobody/unreadable (ArchLinux, unprivileged)

LXD 3.7, ArchLinux(host+container), unprivileged, dir driver

When i mount a folder into the container its empty and not accessible. The source folder has 1000:1000, mounted folder in rootfs is 100000 (should be rather 101000 i guess) and inside container its nobody(65534). Its not readable by root/guest (100000) -> Permission denied. Any idea what’s wrong here?

$ cat /etc/subuid
$ cat /etc/subgid

$ lxc config device add arch test disk source=/home/user/Downloads path=/home/arch/test


$ lxc config show arch
architecture: x86_64
  image.architecture: amd64
  image.description: Archlinux current amd64 (20181211_01:27)
  image.os: Archlinux
  image.release: current
  image.serial: "20181211_01:27"
  volatile.base_image: 6b2b5b684ed150667b724c09f9530b7a11eaff879c0ba00a3eb8f22e9b5eabd8
  volatile.eth0.hwaddr: 00:16:3e:xx:xx:xx eth0
  volatile.idmap.base: "0" '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: STOPPED
    nictype: bridged
    parent: lxdbr0
    type: nic
    path: /home/arch/test
    source: /home/user/Downloads
    type: disk
ephemeral: false
- default
stateful: false
description: ""

That’s the expected behavior here.

You can either do uid hole punching to make uid/gid 1000 be the same inside and outside of the container by setting raw.idmap (note that you’ll also need additional entries in your subuid/subgid config) or you may be able to get away with posix ACLs by effectively allowing access to the directory on the host to the 101000 uid/gid (1000 in the container).

How is this uid hole punching meant to be done? Do i have to split the uid range or something? I have changed shadow files to this:


I tried several raw.idmap combinations but none of them get accepted (not allowed or in host range):

raw.idmap: both 1000 1000
raw.idmap: both 101000 1000
raw.idmap: both 1000 101000
raw.idmap: both 1000 201000
raw.idmap: both 201000 1000
lxc arch 20181213192057.937 ERROR    conf - conf.c:lxc_map_ids:2999 - newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [201000-201001) not allowed": newuidmap 2291 0 100000 1000 1000 201000 1 1001 101001 64535

I’m wondering why this is needed at all. LXD is aware of the host<>container UID shift range already (by shadow entries). It already did initialize/shift the rootfs all by itself properly at container creation.

The only entries that matter in subuid/subgid for LXD are the root ones.

You should have something like:


Which will allow the root user to use the uid 1000 from the host for the containers.

If you put that in both the subuid and subgid files, then both 1000 1000 should work.

Wonderful, works. Thanks! :slight_smile: