Where to find documentation for configuration items such as raw.idmap

wpd · November 28, 2019, 12:53am

I was reading through https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/ and started wondering what the

lxc config set test raw.idmap

command did. So I browsed over to https://linuxcontainers.org/lxd/docs/master/containers to read the documentation about raw.idmap. This is what I found:

raw.idmap blob - no id_map

Is there more documentation someplace?

As long as I’ve gotten you to (re)look at https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/, I thought I would ask another question. Doesn’t the command that reads

$ printf "lxd:$(id -u):1\nroot:$(id -u):1\n" | sudo tee -a /etc/subuid

append to the subuid file? Won’t that end up with an /etc/subuid file that looks vaguely like:

wpd:100000:65536
lxd:165536:65536
root:165536:65536
lxd:1000:1
root:1000:1

Will the fact that lxd and root show up multiple times in /etc/subuid cause any problems or confusion?

Thank you.

–wpd

stgraber · November 28, 2019, 9:19pm

raw.lxc directly maps to whatever is considered valid configuration for your particular version of liblxc. You can find the current manpage for that at https://linuxcontainers.org/lxc/manpages//man5/lxc.container.conf.5.html

It’s perfectly fine for a user to have multiple id map entries in /etc/subuid and /etc/subgid, there are in fact no other ways to indicate the ability to use a single uid/gid outside of the main range.

wpd · November 29, 2019, 3:21am

Thank you for the quick reply. Has raw.idmap been replaced by lxc.idmap then? How would I say something like “Map all UID’s to UID 1000”? The following doesn’t seem right:

lxc.idmap = u 0 1000 1

That seems like it would only map 1 UID (0) in the container to UID 1000 on my host.

Thanks again for your help.

–wpd

wpd · November 29, 2019, 2:30pm

I found documentation for raw.idmap here. How does raw.idmap differ from lxc.idmap?

And back to the question about /etc/subuid, by adding the

lxd:1000:1

line, does that effectively allow the lxd user to impersonate me anywhere on the system?

–wpd

stgraber · November 29, 2019, 8:48pm

LXD runs as root, so the entry which matters is actually root:1000:1.
And since LXD is running as root, it can already impersonate whoever it wants

wpd · November 29, 2019, 9:43pm

ok, that makes sense.

How about my other question… how does raw.idmap differn from lxc.idmap?

–wpd

stgraber · November 30, 2019, 6:21pm

raw.idmap is use by LXD to generate lxc.idmap, it’s a much more user friendly format which is also integrated with LXD’s own idmap. The format for raw.idmap is covered in the id mapping part of our documentation.