<div dir="ltr"><div>these <span class="" style="" id=":282.1" tabindex="-1">subuid</span> mappings are there for the case that someone compromises your container and gains root, should he break out of the container he would have access to all the files that are root owned on the host machine, when you use these mappings then the uses get uid + 100000 or whatever is set in the subuid map file and if they gain root they have uid 1 in container but uid 1000001 on the host that means it can't access any files. that is the whole purpose of this unprivileged container thing. <br></div>yes you have to create users with corresponding uid on diff containers to be able to access the files. <br><br>why do you have to export the same path to both containers? you can export one path for one container and other for the second one. but your setup will work for media/backup and for other things<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Dec 21, 2016 at 3:41 PM, John Gubert <span dir="ltr"><<a href="mailto:john.gubert@web.de" target="_blank">john.gubert@web.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<tt>Hi Pavol,</tt><tt><br>
</tt><tt>thanks for the link, I did some testing with the out of the
box setup (removed root:1000:1) of ubuntu, created two containers
and passed the same host directory through to both of them, then I
created the same users in the same order on both containers:</tt><tt><br>
</tt><tt>root(1000)</tt><tt><br>
</tt><tt>neuer(1001)</tt><tt><br>
</tt><tt>zweiter(1002)</tt><tt><br>
</tt><tt><br>
</tt><tt>this seems to work, when I create files inside this folder
on one container as neuer, I can only read them as neuer on the
other container and vice versa.</tt><tt><br>
</tt><tt>I would assume, that as soon as I create the users in a
different order, zweiter might become 1001 and neuer 1002 and
therefore files created by neuer in one container would be seen as
files created bei zweiter in the other, right? On the host, all
files are seens as 101001 or 101001 anyway.</tt><tt><br>
</tt><tt>I would go ahead and use this setup for my homeserver to
store media/backups and run a fileserver in one container and
other tasks in another, is this setup stable enough if I set it up
as described above?</tt><tt><br>
<br>
this is my lxc config, is there anything I should change?<br>
<br>
disktest:<br>
path: /testdisk<br>
source: /home/me/testdisk<br>
type: disk<br>
<br>
kind regards,<br>
John<br>
<br>
</tt><div><div class="h5">
<div class="m_-4685373629848268046moz-cite-prefix">Am 21.12.2016 um 15:04 schrieb Pavol
Cupka:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>some of your questions are answered here<br>
<a href="https://wiki.gentoo.org/wiki/LXD#Configure_subuid.2Fsubgid" target="_blank">https://wiki.gentoo.org/wiki/<wbr>LXD#Configure_subuid.2Fsubgid</a><br>
<br>
</div>
answering to the list is fine<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Dec 21, 2016 at 1:34 PM, John
Gubert <span dir="ltr"><<a href="mailto:john.gubert@web.de" target="_blank">john.gubert@web.de</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Tycho,<br>
<br>
thank you for your fast response.<br>
<br>
My id on the host is indeed 1000. I read your blog article
and then had<br>
a look at /etc/subuid:<br>
<br>
before:<br>
"me@host:~$ cat /etc/subuid<br>
lxd:100000:65536<br>
root:100000:65536<br>
me:165536:65536"<br>
<br>
after:<br>
"me@host:~$ cat /etc/subuid<br>
lxd:100000:65536<br>
root:100000:65536<br>
me:165536:65536<br>
root:1000:1"<br>
<br>
root seems to be already set up, maybe this is due to lxd
being<br>
installed on ubuntu 16.04? It would be really helpful if you
could<br>
explain to me what the mapping defined in this file really
does. Does it<br>
make a difference if I add your line, or use the one already
there? How<br>
does this file use the numbers (100000 and 65536)? Does
1000:1 tell<br>
ubuntu to map the id 1 to 1, if so, what does 100000:65536
mean? Add<br>
65536 to the 100000? If there is a user called "me" in the
conatainer,<br>
does a line "me:1000:1" work as well?<br>
<br>
I appreciate any help.<br>
<br>
with kind regards,<br>
John<br>
<br>
P.S.:<br>
I answered to the mailing list, is this the right way to do
it, or<br>
should I answer to you directly?
<div class="m_-4685373629848268046HOEnZb">
<div class="m_-4685373629848268046h5"><br>
<br>
<br>
Am 20.12.2016 um 22:52 schrieb Tycho Andersen:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi John,<br>
<br>
On Tue, Dec 20, 2016 at 10:39:07PM +0100, <a href="mailto:john.gubert@web.de" target="_blank"></a><a class="m_-4685373629848268046moz-txt-link-abbreviated" href="mailto:john.gubert@web.de" target="_blank">john.gubert@web.de</a>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello,<br>
I have a directory on my host system and
want to create several containers<br>
with the same users inside. I would like to pass
the directory through to<br>
each container and allow the users to write and
read on it. The network<br>
connection should be done using macvlan.<br>
The howtos I have read so far show how to set up
lxd, which works very<br>
well on my 16.04 host. Starting a container
works out of the box as<br>
unpriviliged user as well.<br>
My questions:<br>
Is it even possible to share one directory on
the host with several<br>
container?<br>
All the howtos I could find mention some
commands, that need to be<br>
applied, but they do not tell me about the
commands I need to type in to<br>
make it work:<br>
<br>
"That means you can create a container with the
following configuration:<br>
<br>
lxc.id_map = u 0 100000 65536<br>
<br>
lxc.id_map = g 0 100000 65536"<br>
<br>
There is a big list of possible options on
github, but where does it tell<br>
how to apply them?<br>
Does someone know a detailed howto, that
describes a similiar setup like<br>
mine?<br>
</blockquote>
<a href="http://tycho.ws/blog/2016/12/uidmap.html" rel="noreferrer" target="_blank">http://tycho.ws/blog/2016/12/u<wbr>idmap.html</a>
is a blog post I wrote a<br>
while ago talking about how to set this up with your
home directory.<br>
You can mimic the settings for whatever user map you
want, though.<br>
<br>
Cheers,<br>
<br>
Tycho<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Every time I read something, I feel like missing
something important,<br>
because I could not find a coherent compendium
of possible options on how<br>
to do something.<br>
kind regards,<br>
John<br>
______________________________<wbr>_________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainer<wbr>s.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.o<wbr>rg/listinfo/lxc-users</a><br>
</blockquote>
<br>
</blockquote>
<br>
______________________________<wbr>_________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainer<wbr>s.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.o<wbr>rg/listinfo/lxc-users</a></div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="m_-4685373629848268046mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
lxc-users mailing list
<a class="m_-4685373629848268046moz-txt-link-abbreviated" href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.<wbr>linuxcontainers.org</a>
<a class="m_-4685373629848268046moz-txt-link-freetext" href="http://lists.linuxcontainers.org/listinfo/lxc-users" target="_blank">http://lists.linuxcontainers.<wbr>org/listinfo/lxc-users</a></pre>
</blockquote>
<br>
</div></div></div>
<br>______________________________<wbr>_________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.<wbr>linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.<wbr>org/listinfo/lxc-users</a><br></blockquote></div><br></div>