proxmox: uid mapping file

 1. good ref ,ref2

Hi,

As it looks like you have an unprivileged container.
This means that the UID/GID is mapped.
So root with UID 0 in the container is UID 100000 on the host.
Every UID/GID in the container is +100000 on the host.

You can set the permission on the host that it matches to the bind-mount or you can remap the UID/GID.
For the remapping see [1]
Or just run the container in privileged mode then the mapping is the same.

I would not install docker direct on the host because this can have dependency problems.
It's not included in our tests, so you're alone with such a setup.

1.) https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

2. Good office ref

# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host) lxc.idmap = u 0 100000 1005 lxc.idmap = g 0 100000 1005 # we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005 lxc.idmap = u 1005 1005 1 lxc.idmap = g 1005 1005 1 # we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535 lxc.idmap = u 1006 101006 64530 lxc.idmap = g 1006 101006 64530

3.   Good example ref 

4. LXC_REF

This configuration will map both user and group ids in the range 0-9999 in the container to the ids 100000-109999 on the host.

        lxc.idmap = u 0 100000 10000
        lxc.idmap = g 0 100000 10000

5.   oracle explain  ref

user:start_uid:uid_count

Add an entry for the dockremap user if you plan to configure default user namespace remapping. Alternately, add an entry for the unprivileged user that you are going to use for this purpose. For example:

dockremap:100000:65536

In the example above, dockremap represents the unpriveleged system user that is used for the remapping. 100000 represents the first UID in the range of available UIDs that processes within the container may run with. 65536 represents the maximum number of UIDs that may be used by a container. Based on this example entry, a process running as the root user within the container is launched so that on the host system it runs with the UID 100000. If a process within the container is run as a user with UID 500, on the host system it would run with the UID 100500.

6. subuid 

subuid - the subordinate uid file

Each line in /etc/subuid contains a user name and a range of subordinate user ids that user is allowed to use. This is specified with three fields delimited by colons (":"). These fields are:

7. pod man ref

/etc/subuid:johndoe:200000:1001
/etc/subgid:johndoe:200000:1001

8. An unprivileged LXC container ref

So even root can own unprivileged containers, since the effective UIDs of container processes on the host will end up inside the range defined by the mapping.
However, for root you have to define the subordinate IDs first. Unlike users created via adduser, root will not have a range of subordinate IDs defined by default.

9. good eample ref

he most common example and what most LXD users will end up with by default is a map of 65536 UIDs and GIDs, with a host base id of 100000. This means that root in the container (uid 0) will be mapped to the host uid 100000 and uid 65535 in the container will be mapped to uid 165535 on the host. UID/GID 65536 and higher in the container aren’t mapped and will return an error if you attempt to use them.

From a security point of view, that means that anything which is not owned by the users and groups mapped into the container will be inaccessible. Any such resource will show up as being owned by uid/gid “-1” (rendered as 65534 or nobody/nogroup in userspace). It also means that should there be a way to escape the container, even root in the container would find itself with just as much privileges on the host as a nobody user.

10. My Example

#  groupadd -g 100000 lxcremap

# useradd lxcremap -g 100000 -u 100000

# pct set 105 -mp0 /mnt/pve/sde_vipdata/data/system-mariadb-0019,mp=/data

# chown -R lxcremap:lxcremap /mnt/pve/sde_vipdata/data/system-mariadb-0019/

#vi 105.conf [map file]

lxc.idmap: u 0 100000 65534

lxc.idmap: g 0 100000 65534

lxc.idmap: u 65534 165534 1

lxc.idmap: g 65534 165534 1

# cat /etc/subuid [ allow uid]

root:1005:1

root:100000:65536

# cat /etc/subgid [allow gid]

root:1005:1

root:100000:65536