Skip to content

Storage in LXD

Group mapping

Instead of mapping a user, with this method, you can share files by only mapping the group id.

First add a group with id 4567; or use an already existing group.

sudo groupadd -g 4567 lxc-storage

Then add a subordinate group id (4567) to root in /etc/subgid.

root:4567:1

[note to self]: Do I also need lxd:4567:1 ?????

Restart LXD.

sudo systemctl restart lxd

Create a new folder.

mkdir -m 2775 lxd_folder
sudo chown -R 1000:4567 lxd_folder

The 2 in mkdir -m 2775 lxd_folder is the SGID so whoever creates a file the group is always 4567.

[not really]: Now group 1001 inside the container will be 4567 in the host.

Configure

How the mapping is represented

gid <group id in host> <group id in container>
gid 4567 1001

The default user (ubuntu) in Ubuntu 18.04 is 1000 and in Ubuntu 19.04 is 1001.

In Ansible.

lxd_container:
...
  config:
    raw.idmap: gid 4567 1001
  devices:
    folder:
      source: "/path/in/host"
      path: "/path/in/container"
      type: disk
...

Normal.

lxc config device add containerName sharedResourceName disk source=/path/in/host path=/path/in/container
printf "gid 4567 1001" | lxc config set containerName raw.idmap -
lxc restart containerName

Results

Container.

-rw-r--r-- 1 65534  1001    0 Jun 16 20:00 new_file

Host.

-rw-r--r-- 1  1000  4567    0 Jun 16 22:00 new_file

ACLs

First add a group with id 4567; or use an already existing group.

sudo groupadd -g 4567 lxc-storage

Then add a subordinate group id (4567) to root in /etc/subgid.

root:4567:1

Restart LXD.

sudo systemctl restart lxd

Create a new folder.

mkdir -m 2775 lxd_folder

Edit the ACL of lxd_folder to allow the group lxc-storage with id 4567 read, write and access to the folder.

setfacl -m g:4567:rwx lxd

Results

Host.

drwxrwsr-x+  2   1000 1000 4096 Jul 11 14:57 .
-rw-rw-r--   1 101000 1000    0 Jul 11 14:57 file_created_from_container
-rw-r--r--   1   1000 1000    0 Jul 11 14:57 file_created_from_host

Container.

drwxrwsr-x+ 2 65534 65534 4096 Jul 11 12:57 .
-rw-rw-r--  1  1000 65534    0 Jul 11 12:57 file_created_from_container
-rw-r--r--  1 65534 65534    0 Jul 11 12:57 file_created_from_host

Looks like it does not work but it does.

Without the GUID the group id of the files would be different.

The permissions that apply inside the container are the permissions for the group in the host.