Where to find documentation for configuration items such as raw.idmap

I was reading through https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/ and started wondering what the

lxc config set test raw.idmap

command did. So I browsed over to https://linuxcontainers.org/lxd/docs/master/containers to read the documentation about raw.idmap. This is what I found:

raw.idmap blob - no id_map

Is there more documentation someplace?

As long as I’ve gotten you to (re)look at https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/, I thought I would ask another question. Doesn’t the command that reads

$ printf "lxd:$(id -u):1\nroot:$(id -u):1\n" | sudo tee -a /etc/subuid

append to the subuid file? Won’t that end up with an /etc/subuid file that looks vaguely like:


Will the fact that lxd and root show up multiple times in /etc/subuid cause any problems or confusion?

Thank you.


raw.lxc directly maps to whatever is considered valid configuration for your particular version of liblxc. You can find the current manpage for that at https://linuxcontainers.org/lxc/manpages//man5/lxc.container.conf.5.html

It’s perfectly fine for a user to have multiple id map entries in /etc/subuid and /etc/subgid, there are in fact no other ways to indicate the ability to use a single uid/gid outside of the main range.

Thank you for the quick reply. Has raw.idmap been replaced by lxc.idmap then? How would I say something like “Map all UID’s to UID 1000”? The following doesn’t seem right:

lxc.idmap = u 0 1000 1

That seems like it would only map 1 UID (0) in the container to UID 1000 on my host.

Thanks again for your help.


I found documentation for raw.idmap here. How does raw.idmap differ from lxc.idmap?

And back to the question about /etc/subuid, by adding the


line, does that effectively allow the lxd user to impersonate me anywhere on the system?


LXD runs as root, so the entry which matters is actually root:1000:1.
And since LXD is running as root, it can already impersonate whoever it wants :slight_smile:

ok, that makes sense.

How about my other question… how does raw.idmap differn from lxc.idmap?


raw.idmap is use by LXD to generate lxc.idmap, it’s a much more user friendly format which is also integrated with LXD’s own idmap. The format for raw.idmap is covered in the id mapping part of our documentation.