[lxc-users] move unprivileged containers - uid/gid map

Sat, 09 Jul 2016 17:21:06 -0700 

Hi, 

I'm looking to move unprivileged containers from one host to another. 
I'm actually moving pure LXC containers to a new LXD/LXC host 

I would like to know how should I deal with the uid/gid inside the container. 
The root uid/gid is différent on the new host. But I can simply remplace the 
old UID/GUID by the new one with a find request but how should I do with the 
other users id used inside the container ? 

I did not understand where the uid/gid map is done 

Inside the container 
root@w4a:~# id ubuntu 
uid=1000(ubuntu) gid=1000(ubuntu) 

Folder : 
drwxr-xr-x 2 ubuntu ubuntu 6 Jul 8 23:17 ubuntu 

Outside the container 
drwxr-xr-x 2 166536 166536 6 Jul 8 23:17 ubuntu 

How the system know about uid/gid 1000 inside container = uid/gid 166536 
outside the container 
It look like root uid = 165536 outside the container and it is defined by lxc 
configuration 
id 1000 inside the container will be root uid + user id , so 165536 + 1000 = 
166536 

But what is two container have a user uid 100 ? they will both avec the same 
uid outside the container ? 

About migrate the container from, how should I manage it ? 
Should I re-do the mapping myself ? Like looking into /etc/passwd inside the 
container then use the root uid + the id found for that user in /etc/passwd and 
replace the old uid/gid by the new one ? Maybe there is faster/better solution 
? 

I was looking to add an uid/gid mapping to match the container configuration as 
it was before, but it does not look to work 

I have this as an example in a config file dedicated for the container on the 
LXC pure host. 
# Container specific configuration 
lxc.id_map = u 0 951968 65536 
lxc.id_map = g 0 951968 65536 

Here is what I did to the new host : 
cat /etc/subuid 
gxd:100000:65536 
root:165536:65536 
root:951968:65536 

I also tried to set lxc.raw 

cat << EOF |lxc config set test-ct raw.lxc - 
lxc.id_map = u 0 951968 65536 
lxc.id_map = g 0 951968 65536 
EOF 

But in that case, container does't start. 

Thanks for you help :) 


Cordialement, 

Benoît 

_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users

Reply via email to