Skip to content


This page will disappear.

Documentation available here.

Awesome guides created by one of the LXC/LXD project maintainers Stéphane Graber.

Install lxc and lxd

# pacman -S lxc bridge-utils
$ yay -S lxd

Configure the system

vim /etc/lxc/default.conf
-------------------------
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

echo "root:1000000:65536" | sudo tee -a /etc/subuid /etc/subgid

Set the users

sudo usermod -a -G lxd yu
sudo systemctl start lxd
sudo systemctl enable lxd

Reboot

Setup lxd

lxd init

Map UID/GID to the container [Effectively mapping the UID/GID 1000 of the container to the UID/GID 1000 on the host]

Add more UIDs/GIDs. Note: root and lxd must be kept in sync, lxd depends on root

# vim /etc/subuid
--------------------
lxd:100000:1000000000
root:100000:1000000000
--------------------
# vim /etc/subgid
--------------------
lxd:100000:1000000000
root:100000:1000000000

Restart lxd

# systemctl restart lxd

lxc config set firefox security.idmap.isolated true

printf "uid $(id -u) 1000\ngid $(id -g) 1000" | lxc config set firefox raw.idmap -

Start or restart the container

$ lxc start firefox
Remapping container filesystem

Increasing the size of the default map

stgraber@castiana:~$ cat /etc/subuid
lxd:100000:1000000000
root:100000:1000000000

stgraber@castiana:~$ cat /etc/subgid
lxd:100000:1000000000
root:100000:100000000

To have a container use its own distinct map, simply run:

st```graber@castiana:~$ lxc config set test security.idmap.isolated true stgraber@castiana:~$ lxc restart test stgraber@castiana:~$ lxc config get test volatile.last_state.idmap [{"Isuid":true,"Isgid":false,"Hostid":165536,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":165536,"Nsid":0,"Maprange":65536}]

The restart step is needed to have LXD remap the entire filesystem of the container to its new map.
Note that this step will take a varying amount of time depending on the number of files in the container and the speed of your storage.

As can be seen above, after restart, the container is shown to have its own map of 65536 uids/gids.

If you want LXD to allocate more than the default 65536 uids/gids to an isolated container, you can bump the size of the allocation with:

stgraber@castiana:~$ lxc config set test security.idmap.size 200000 stgraber@castiana:~$ lxc restart test stgraber@castiana:~$ lxc config get test volatile.last_state.idmap [{"Isuid":true,"Isgid":false,"Hostid":165536,"Nsid":0,"Maprange":200000},{"Isuid":false,"Isgid":true,"Hostid":165536,"Nsid":0,"Maprange":200000}]

If you’re trying to allocate more uids/gids than are left in LXD’s allocation, LXD will let you know:

stgraber@castiana:~$ lxc config set test security.idmap.size 2000000000 error: Not enough uid/gid available for the container.



The obvious answer to that is to define a new “disk” entry in LXD which passes your home directory to the container:

stgraber@castiana:~$ lxc config device add test home disk source=/home/stgraber path=/home/ubuntu Device home added to test

So that was pretty easy, but did it work?

stgraber@castiana:~$ lxc exec test -- bash root@test:~# ls -lh /home/ total 529K drwx--x--x 45 nobody nogroup 84 Jun 14 20:06 ubuntu

No. The mount is clearly there, but it’s completely inaccessible to the container.
To fix that, we need to take a few extra steps:

    Allow LXD’s use of our user uid and gid
    Restart LXD to have it load the new map
    Set a custom map for our container
    Restart the container to have the new map apply

stgraber@castiana:~$ printf "lxd:$(id -u):1\nroot:$(id -u):1\n" | sudo tee -a /etc/subuid lxd:201105:1 root:201105:1

stgraber@castiana:~$ printf "lxd:$(id -g):1\nroot:$(id -g):1\n" | sudo tee -a /etc/subgid lxd:200512:1 root:200512:1

stgraber@castiana:~$ sudo systemctl restart lxd

stgraber@castiana:~$ printf "uid $(id -u) 1000\ngid $(id -g) 1000" | lxc config set test raw.idmap -

stgraber@castiana:~$ lxc restart test

At which point, things should be working in the container:

stgraber@castiana:~$ lxc exec test -- su ubuntu -l ubuntu@test:~$ ls -lh total 119K drwxr-xr-x 5 ubuntu ubuntu 8 Feb 18 2016 data drwxr-x--- 4 ubuntu ubuntu 6 Jun 13 17:05 Desktop drwxr-xr-x 3 ubuntu ubuntu 28 Jun 13 20:09 Downloads drwx------ 84 ubuntu ubuntu 84 Sep 14 2016 Maildir drwxr-xr-x 4 ubuntu ubuntu 4 May 20 15:38 snap ubuntu@test:~$ ```

Doubts, issues, suggestions, etc.

Create a Merge Request with your suggestions.

Create an Issue with your problem.