Yes, you need to map those using group.
Step 1 - Create a new dir on the LXD host
Say you want to share /dir1
sudo mkdir /dir1
Step 2 - Create group for sharing dirs between LXD host and container
Here is how it looks with group ID 300 (you need to make those groups):
# Make a new read-only group named `lxdclientro`
sudo addgroup --system --gid 300 lxdclientro
# Make a new read and write only group named `lxdclientrw` for the /dir1/
sudo adduser --system --home /dir1/ --uid 300 --gid 300 lxdclientrw
Step 3 - Setup correct permission on /dir1
Here are commands for /dir1/
sudo chown lxdclientrw:lxdclientro /dir1/
sudo chmod 750 /dir1/
sudo chmod g+s /dir1/
Real magic happens below where you map root on the LXD host GID 1 to our newly created UID/GID for /dir1/ (run all command as the root user, first do sudo -s
and then type it)
echo 'root:300:1' >> /etc/subuid
echo 'root:300:1' >> /etc/subgid
Now your LXD host is ready to share /dir1/ in read-write mode with containers.
Step 4 - Find UID and GID inside container to map
Let us say you have container named ‘nginx’. Log into it:
lxc exec nginx sh
Say now there is an app user inside that container called ‘myapp’ with UID 100. Use the grep
id id
to find that users UID and GID. For example:
grep ^myapp /etc/passwd
grep ^myapp /etc/group
id -u myapp
id -g myapp
I get 100
as UID and GID. Note down both UID and GID. If you don’t have specific user/group inside container you need to create it. That is how security policy is going to work out. Otherwise LXD will block access.
Step 5 - Map UID and GID on the LXD host
Now exit from lxc container and back to LXD host. The 300 (UID on the LX D host) is going to be mapped to nginx container with 100
uid. Similarly, the 300 (GID on the LX D host) is going to be mapped to nginx container with 100
GID. The command is as follows for container named nginx
echo -en "uid 300 100\ngid 300 101" | lxc config set nginx raw.idmap -
Restart the container named nginx
:
lxc restart nginx
Step 6 - Add /dir1/ in read-write mode to container named nginx
The syntax is:
lxc config device add nginx shareddisk disk source=/dir1 path=/dir1
This will mount the /dir1/ from LXD host to container named nginx at /dir1/. You can log into the container:
lxc exec nginx sh
And see it:
ls -ld /
Because of security policy on both LXD host and container only UID/GID 100 inside container named nginx
can update/edit files inside the /dir1/. So inside container you need to switch to that user named myapp.
su - myapp
runuser -u myapp
cd /dir1
mkdir foo
rmdir foo