TCB13 OP , 10 months ago (edited 10 months ago)

Apparently this is by design a feature of newer kernels. Here is a good explanation by Stéphane Graber, maintainer of LXC:

Prior to VFS idmap being available, we needed to work around file ownership by having LXD manually rewrite the owner of every single file on disk. That’s what you’re showing here on an older kernel.

On newer kernels, this is no longer needed as we can have the kernel keep the permissions on-disk unshifted and just shift in-kernel so the ownership looks correct inside of the container.

What you’re showing above looks like a perfectly working setup on a kernel that does support VFS idmap.

I could indeed config this on the host machine:

<span style="color:#323232;">root@vm-debian-12-cli:~# lxc info | grep 'shift|idmap'
</span><span style="color:#323232;">- storage_shifted
</span><span style="color:#323232;">    idmapped_mounts: "true"
</span><span style="color:#323232;">    shiftfs: "false"
</span><span style="color:#323232;">    idmapped_mounts_v2: "true"
</span>

And inside containers the root mount point also shows as idmapped (last line):

<span style="color:#323232;">root@debian:~# cat /proc/self/uid_map
</span><span style="color:#323232;">         0     231072      65536
</span><span style="color:#323232;">
</span><span style="color:#323232;">root@debian:~# cat /proc/self/gid_map
</span><span style="color:#323232;">         0     231072      65536
</span><span style="color:#323232;">
</span><span style="color:#323232;">root@debian:~# cat /proc/self/mountinfo
</span><span style="color:#323232;">490 460 0:24 /@rootfs/mnt/NVME1/lxd/containers/debian/rootfs / rw,relatime,idmapped shared:251 master:1 - btrfs /dev/sda1 rw,space_cache=v2,user_subvol_rm_allowed,subvolid=259,subvol=/@rootfs/mnt/NVME1/lxd/containers/debian
</span>

To disable this one might:

There is an environment variable that can be passed to LXD by adding an override in its systemd unit. LXD_IDMAPPED_MOUNTS_DISABLE=1

However, and according to Mr. Graber we shouldn’t do that:

Okay, so your system is operating perfectly normally and with the lowest overhead possible right now, nothing to be worried about.

The old pre-start shifting method was very slow and very risky as a crash or failure to shift a particular bit of metadata (ACL, xattr, …) could allow for a security issue with the container. It was also horrible for CoW filesystems as it effectively made it look like every single file in the container had been modified, potentially duplicating GBs of data.

shiftfs (which was an Ubuntu-specific hack) and now the proper VFS idmap shifting, simply have the kernel apply the reverse uidmap/gidmap on any filesystem operation to a mount that’s marked as idmapped. It’s an extremely trivial operation to perform, allows for dynamic changes to the container maps (very useful for isolated), allows for sharing data between containers and properly supports everything that can hold a uid/gid (ioctl, xattr, acl, …) so doing away with the risk of having missed something.