Comment on Jellyfin on Proxmox
revv@lemmy.blahaj.zone 8 months agoThe user and group mapping for lxc is easy(ish) once you understand it.
The above breaks out as follows: lxc.idmap: [user/group] [beginning host UID/GID] [number of sequential IDs to map]
lxc.idmap: u 0 100000 1000 [maps LXC UIDs 0-999 to host UIDs 100000-100999]
lxc.idmap: g 0 100000 1000 [maps LXC GIDs 0-999 to host GIDs 100000-100999]
lxc.idmap: u 1000 1000 1 [maps LXC UID 1000 to host UID 1000]
lxc.idmap: g 1000 1000 1 [maps LXC GID 1000 to host GID 1000]
lxc.idmap: u 1001 101001 64535 [maps LXC UIDs 1001-65535 to host UIDs 101001-165535]
lxc.idmap: g 1001 101001 64535 [maps LXC GIDs 1001-65535 to host GIDs 101001-165535]
The last two lines are needed because a running Linux system needs access to a minimum of 65336 UIDs/GIDs (zero-indexed).
You can basically think of LXC as running everything on the host system itself, but running it all as UID/GID 100000-65535 by default. In an unprivileged container, you have to remap these to give access to resources not owned by that range.
walden@sub.wetshaving.social 8 months ago
I wonder, after making these changes is it the same security wise as making the container unprivileged=0?
revv@lemmy.blahaj.zone 8 months ago
Nope. It just maps a single user and group from the container to a regular user on the host. With the above config, root in the container has the “real” UID of 100000. It can’t make changes to anything any other unprivileged user can. A privileged container otoh runs root as root. It can do a lot of damage. By running privileged containers you’re kind of throwing out a good portion of LXC’s benefits.
walden@sub.wetshaving.social 8 months ago
That makes sense. Thanks.