UID mappings in LXC 5

10 views
Skip to first unread message

Oliver Schad

unread,
Jun 17, 2022, 4:48:55 AMJun 17
to lxc-...@lists.linuxcontainers.org
Hello everybody

We're migrating containers from LXC 3.23 to LXC 5. We see, that
currently a new deployed unprivileged container uses UID mappings in
an other way, than before:

the filesystem shows "natural" UID, so the UID of root is 0. But the
processes have the UID 100000. How does that work?

In LXC 3.23 process UIDs and filesystem UIDs match exactly. So we will
try to start every unprivileged container as privileged under 3.23 to
convert the UIDs and will copy the result to the new LXC 5 host. Is
this the correct way to migrate containers?

Best Regards
Oli

--
Automatic-Server AG •••••
Oliver Schad
Geschäftsführer
Hardstr. 46
9434 Au | Schweiz

www.automatic-server.com | oliver...@automatic-server.com
Tel: +41 71 511 31 11 | Mobile: +41 76 330 03 47

Oliver Schad

unread,
Jun 22, 2022, 8:12:24 AMJun 22
to lxc-...@lists.linuxcontainers.org
Hi Stéphane

Thanks for the clarification. So migration is done by LXD itself
between versions or is it part of a user task?

Best Regards
Oli

On Fri, 17 Jun 2022 13:30:15 -0400
Stéphane Graber <stgr...@ubuntu.com> wrote:

> Hey,
>
> I believe you mean LXD 3.23 to LXD 5.x.
> Most likely you're also now on a pretty recent kernel, something like
> 5.13 or higher (likely 5.15).
>
> On recent kernels, LXD can make use of the VFS idmap feature which
> allows for in-kernel remapping of the filesystem.
> This allows running unprivileged containers without having to
> completely rewrite all uid/gid on disk, making things significantly
> faster to start initially as well as to change maps at some point in
> the future.
>
> Inside of the container, there should be no visible differences.
>
> Stéphane
> > --
> > You received this message because you are subscribed to the Google
> > Groups "lxc-devel" group. To unsubscribe from this group and stop
> > receiving emails from it, send an email to
> > lxc-devel+...@lists.linuxcontainers.org. To view this
> > discussion on the web visit
> > https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-devel/20220617104801.67d50606%40flunder.oschad.de.

Stéphane Graber

unread,
Jun 23, 2022, 5:19:57 PMJun 23
to Oliver Schad, lxc-...@lists.linuxcontainers.org
To limit system impact, LXD will use the VFS idmap feature for all new
instances or when an instance is switched between
privileged/unprivileged mode.
Existing instances aren't modified given that the expensive shifting
of the filesystem was already done and shifting it back would just
take more time.

On Wed, Jun 22, 2022 at 7:12 AM Oliver Schad
> To view this discussion on the web visit https://groups.google.com/a/lists.linuxcontainers.org/d/msgid/lxc-devel/20220622141135.09a0f913%40flunder.oschad.de.
Reply all
Reply to author
Forward
0 new messages