[lxc-users] subuids and subgid range with multiple LXC containers

Serge E. Hallyn serge at hallyn.com
Tue Mar 28 21:20:07 UTC 2017


Quoting BIGOT Adrien (adrien.bigot at smile.fr):
> Hello,
> 
> Actually hosting many containers (2000+) with OpenVZ technology, we
> want to move to LXC/LXD.
> The goal is to host up to 20 unprivilegied containers per
> hypervisor. I'd like to know if there is some best practice
> regarding subuid and subgid in particular if we must have one range
> of subuid/subgid per containers or not.
> 
> For example, if I have 3 containers can I configure them with the
> same lines :
> lxc.id_map = u 0 100000 65536
> lxc.id_map = g 0 100000 65536
> 
> or
> 
> lxc.id_map = u 0 100000 65536
> lxc.id_map = g 0 100000 65536
> 
> lxc.id_map = u 0 200000 65536
> lxc.id_map = g 0 200000 65536
> 
> lxc.id_map = u 0 300000 65536
> lxc.id_map = g 0 300000 65536
> 
> I didn't find any documentation about this, just a few config
> examples on the web.
> 
> Thanks in advance for your help !

It's been discussed a few times, but I can't be bothered to find
links :)  General guidance is if the containers are working together
you can have them share uid ranges.  If they belong to different
groups, or if you want to prevent all chances of one container
subverting another, then give them different ranges.



More information about the lxc-users mailing list