[lxc-users] move unprivileged containers - uid/gid map

Benoit GEORGELIN - Association Web4all benoit.georgelin at web4all.fr
Sun Jul 10 00:20:37 UTC 2016 

Hi, 

I'm looking to move unprivileged containers from one host to another. 
I'm actually moving pure LXC containers to a new LXD/LXC host 

I would like to know how should I deal with the uid/gid inside the container. 
The root uid/gid is différent on the new host. But I can simply remplace the old UID/GUID by the new one with a find request but how should I do with the other users id used inside the container ? 

I did not understand where the uid/gid map is done 

Inside the container 
root at w4a:~# id ubuntu 
uid=1000(ubuntu) gid=1000(ubuntu) 

Folder : 
drwxr-xr-x 2 ubuntu ubuntu 6 Jul 8 23:17 ubuntu 

Outside the container 
drwxr-xr-x 2 166536 166536 6 Jul 8 23:17 ubuntu 

How the system know about uid/gid 1000 inside container = uid/gid 166536 outside the container 
It look like root uid = 165536 outside the container and it is defined by lxc configuration 
id 1000 inside the container will be root uid + user id , so 165536 + 1000 = 166536 

But what is two container have a user uid 100 ? they will both avec the same uid outside the container ? 

About migrate the container from, how should I manage it ? 
Should I re-do the mapping myself ? Like looking into /etc/passwd inside the container then use the root uid + the id found for that user in /etc/passwd and replace the old uid/gid by the new one ? Maybe there is faster/better solution ? 

I was looking to add an uid/gid mapping to match the container configuration as it was before, but it does not look to work 

I have this as an example in a config file dedicated for the container on the LXC pure host. 
# Container specific configuration 
lxc.id_map = u 0 951968 65536 
lxc.id_map = g 0 951968 65536 

Here is what I did to the new host : 
cat /etc/subuid 
gxd:100000:65536 
root:165536:65536 
root:951968:65536 

I also tried to set lxc.raw 

cat << EOF |lxc config set test-ct raw.lxc - 
lxc.id_map = u 0 951968 65536 
lxc.id_map = g 0 951968 65536 
EOF 

But in that case, container does't start. 

Thanks for you help :) 


Cordialement, 

Benoît 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160710/3f6452de/attachment.html>

More information about the lxc-users mailing list