Now I've tried this to create container from an already "unprivileged" user:
$ sudo apt install incus
$ sudo incus admin init
$ incus launch images:debian/12 MyContainerName
Error: You don't have the needed permissions to talk to the incus daemon
(socket path: /var/lib/incus/unix.socket)
$ sudo usermod --append --groups incus-admin $USER
$ newgrp incus-admin
$ incus launch images:debian/12 MyContainerName
$ sudo ls -l
/var/lib/incus/storage-pools/local/containers/MyContainerName/rootfs
And the result is the same using DIR storage pool:
I see there all files with same UID/GID range as host.
This means when guest is doing actions as guest's "root" is using same
root UID&GID as host as reflected in filesystem.
Anyway, any "incus-admin" group member has privileged permissions to
manage containers, and I don't want to give this status to guest user.
How to make incus creates and maps subuid/subgid when creating a
container? I want to apply full "unprivileged" concept and I want to see
this on filesystem same as the use of lxc.idmap by LXC.
An example of a production scenario with LXC unprivileged containers:
$ stat -c %u:%g /
0:0
$ cd /var/lib/lxc.u/lxc
$ sudo stat -c %u:%g MyContainerName1/rootfs
4032160:4032160
$ sudo cat MyContainerName1/config | grep -e idmap
lxc.idmap = u 0 4032160 65536
lxc.idmap = g 0 4032160 65536
$ sudo stat -c %u:%g MyContainerName2/rootfs
4818592:4818592
$ sudo cat MyContainerName2/config | grep -e idmap
lxc.idmap = u 0 4818592 65536
lxc.idmap = g 0 4818592 65536
This is what I'm looking for, because I'm planning to migrate from pure
LXC to Incus.
El 3/6/24 a les 14:04, Narcis Garcia ha escrit: