UID mapping changes ownership of all user-owned files within the container

LXC
1

I’m using proxmox, and like many, I’d have some bind mounts I’d like to share between a number of LXC containers. Also like many, I stumbled upon the problem of conflicting UIDs. I’m trying to set up mapping, but however much I read, I seem to have some major misunderstanding. Whenever I add mapping, any folder owned by the mapped user (eg home directory) will get suddenly owned by 65534/“nobody”. How is this possible? I thought maps only have an effect on the host/outside the container? (as in files in bind mounts)

I’m trying to use mapping like this (generated by a python util)

lxc.idmap: u 0 100000 999
lxc.idmap: g 0 100000 999
lxc.idmap: u 999 999 1
lxc.idmap: g 999 999 1
lxc.idmap: u 1000 101000 4000
lxc.idmap: g 1000 101000 4000
lxc.idmap: u 5000 5000 1
lxc.idmap: g 5000 5000 1
lxc.idmap: u 5001 105001 60536
lxc.idmap: g 5001 105001 60536

And alternatively this, as seen in many wikis

lxc.idmap = u 0 100000 999
lxc.idmap = g 0 100000 999
lxc.idmap = u 999 5000 1
lxc.idmap = g 999 5000 1
lxc.idmap = u 5000 101000 64536
lxc.idmap = g 5000 101000 64536

Both with the same effect.

On the host /etc/sub{u,g}id:

root:100000:65536
root:999:1
root:5000:1

As an alternative, would it be feasible/recommended to set an ACL in each container, and set the masks of mounted folders in each to rw-rw-rw? This way the different id-s would be irrelevant.

2

Just a sidenote, I circumvented this issue, without UID mapping.

As stated in OP, I just wanted to share Bind mounts between containers, without the possibility that files are unavailable or read only to some containers. This doesn’t necessitate specific users, just preset rights. So I added 777 ACL-s to the root folders on the Host - it’s not a problem security wise, as containers only get the bind mounts they should have full access to.

For anyone with the same problem, think about if you are truly needing a specific user to own the files - if not, ACL is a good, and much simpler solution. I still wish I knew what the issue was with the UID mapping… it might still be possible that a future application I add might need specific file owners. I’d still wish to know what’s wrong with the above config… I hope I don’t have to do it the hard way.