Bind mounts from inside LXD

Definitions:

  • host the server running lxd.
  • container the thing running inside of lxd.
  • uid the user id.

Discussion

lxd defaults to running non-privileged containers. By utilizing linux namespaces this permits the container to run a process such that from that processes point of view it is uid 0 (nee' root) but in face it is running with the permissions of the user who launched the container. Magic? Yes. Complicated, maybe, a little bit...

You are always going to be mapping uids with respect to process ownership. For this example, uid 1026 is the user id who actually runs the lxc containers. In the end all process created by the container will appear to be owned by 1026. This means that from inside your container your process will be running as, say, uid 1000 on your container.

In you container

 PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
  503   505   503   503 ?           -1 R     1000   0:00 sshd: jodys@pts/0

On your host.

When you view that same process from the host

 PPID   PID  PGID   SID TTY      TPGID STAT   UID   TIME COMMAND
21246 21333 21246 21246 ?           -1 S     1026   0:00 sshd: jodys@pts/1

you can see that it is operating under a different uid.

File access

Accessing files uses your uid to determine your access level. As shown below you can "bind mount" part of your directory tree from your host into your container. The only issue is that inside the container there will be no uid mapping. This means that even though the user who owns the container binds files owned by itself into the container it will not actually have that user's access level. We have to explcityly tell lxd to set up a mapping for the purposes of file access.

Determine which host uid to use.

If you are wanting to mount your home directory, use your uid

uid

If you want to access as a specific user find its uid

$ grep $username /etc/passwd
jodys:x:1026:1000:Jody Stephens,,,:/home/jodys:/bin/bash

The number you are looking for is the first one.

Give lxd the ability to map using that uid

In this example, we determined that the uid of interest was 1026.

echo "root:1026:1" >> /etc/subuid

This reads, "Allow root to map the range starting at 1026 and extending

Restart lxd

systemctl restart lxd

Configure the uid mapping

lxc config set electric-heron raw.idmap 'uid 1026 1000'

The second field is the uid on your host and the third field is the uid it will be mapped to inside the container.

Reboot the container

lxc restart electric-heron

Create the bind mount

lxc config device add electric-heron homedir disk source=/home/jodys/ path=/home/jodys/

Enjoy!

social