Where is the default idmap being set in the snap?

In the pre-snap days I had LXD installed and it was using /etc/subuid for the default of idmap. Since I upgraded to Ubuntu 20.04 and thus using LXD from snap it does not use that anymore.

It now maps to something like lxc.idmap = u 0 1000000 65535, I think.

How can I query the current default setting?

To give some more background, …

# grep -E 'root|lxd' /etc/sub?id

A newly created container has these mappings

# lxc config show test02|grep idmap
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'

In other words, the files from /etc were ignored.

In a other topic[1] @stgraber said “snap doesn’t actually use /etc/subuid and /etc/subgid”. But nowhere in the documentation that is made clear.

Looking at the source code (idmapset_linux.go) I would swear it does read these /etc files. But it seems snap is doing weird stuff to Linux programs.

[1] Snap lxd: how to restart lxd without restarting containers?

That’s because there’s no special logic for that in LXD.
It’s simply that the view of /etc from within a snap does not include subuid and subgid, so the snap therefore uses the fallback hardcoded range.

It would better to make a note somewhere, because right now all available documentation and discussions describe the use of /etc/subuid. Nowhere is a mention that this is not valid for snap (which is now the default for Ubuntu).

What I also couldn’t find is the proper command to modify the idmap. What I end up doing was something like this:

# lxc config set csrv28 volatile.idmap.next '[{"Isuid":true,"Isgid":false,"Hostid":624288,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":624288,"Nsid":0,"Maprange":1000000000}]'

For future readers:

sudo mkdir -p /var/snap/lxd/common/etc
echo "root:$(id -u):1" | sudo tee -a /var/snap/lxd/common/etc/subuid /var/snap/lxd/common/etc/subgid

Or whatever it is you want LXD to see.

1 Like

Does this work for other /etc configuration which due to snap are out of reach?
Would this for example work?