Proxmox unprivileged LXC id mapping

Last updated on 

You’re using an unprivileged LXC container on Proxmox, and you want to correctly handle UID/GID mappings to ensure Dockerized apps (like MySQL or Nginx Proxy Manager) have the right permissions on mounted volumes (like CephFS).

Understanding UID/GID Mapping in Unprivileged LXC Containers

In unprivileged containers, UIDs and GIDs are mapped to a higher range on the host. By default, Proxmox adds 100000 to the UIDs/GIDs inside the container when mapping them to the host.

For example:

  • UID 0 (root) inside the container maps to UID 100000 on the host.
  • UID 1 inside the container maps to UID 100001 on the host.
  • UID 1000 inside the container maps to UID 101000 on the host.

This behavior is automatic unless you’ve customized the mapping.

Step-by-Step Guide for Fixing Permissions in Unprivileged Containers

1. Determine the UID/GID Used by Dockerized Apps

First, you need to find out which UID and GID the Dockerized apps (such as MySQL or Nginx Proxy Manager) are using inside the LXC container.

  1. Check the UID/GID used by the Dockerized app inside the LXC container.

For Nginx Proxy Manager (assuming your container is named nginx-proxy-manager):

docker exec nginx-proxy-manager id

This will show you the UID and GID the Nginx Proxy Manager is running as inside the Docker container.

For MySQL (assuming the Docker container is named mysql):

docker exec mysql id

You might see output like:

uid=999(mysql) gid=999(mysql)

This means MySQL runs as UID 999 and GID 999 inside the container.

Start the LXC container (if it’s not already running):

pct start <container_id>

2. Map the Container UID/GID to the Host

In unprivileged containers, the UIDs and GIDs are shifted by 100000 on the host. This means you need to add 100000 to the UID/GID inside the container to find the corresponding UID/GID on the host.

Example: MySQL

Let’s assume MySQL runs as UID 999 and GID 999 inside the container.

The corresponding GID on the host will be:

Host GID = Container GID + 100000
Host GID = 999 + 100000 = 100999

The corresponding UID on the host will be:

Host UID = Container UID + 100000
Host UID = 999 + 100000 = 100999
Example: Nginx Proxy Manager

If Nginx Proxy Manager runs as UID 1000 and GID 1000 inside the container, the corresponding host UID/GID will be:

  • Host UID: 1000 + 100000 = 101000
  • Host GID: 1000 + 100000 = 101000

3. Change Ownership on the Host Filesystem

Once you know the host UID/GID that corresponds to the container UID/GID, you need to change the ownership of the relevant directories on the host (such as the CephFS mount) to match.

For example, if MySQL inside the container requires UID 999 and GID 999, and you’ve calculated that the corresponding host UID/GID is 100999, you should chown the CephFS directory on the host to 100999:100999.

On the Proxmox host, run:

chown -R 100999:100999 /mnt/cephfs/mysql

Similarly, if Nginx Proxy Manager needs UID 1000 and GID 1000 inside the container, and the corresponding host UID/GID is 101000, run:

chown -R 101000:101000 /mnt/cephfs/nginx_proxy_manager

4. Restart the LXC Container

After changing the ownership, restart the LXC container to ensure that the Dockerized apps can now access the files with the correct permissions.

pct restart <container_id>

Summary

  1. Determine the UID/GID used by the Dockerized application inside the unprivileged LXC container.
  2. Map the container's UID/GID to the host's UID/GID by adding 100000.
  3. Change ownership of the relevant directories on the host (such as the CephFS mount) to the mapped host UID/GID using chown.
  4. Restart the LXC container to apply the changes.

This way, the Dockerized apps running inside the LXC container will have the correct permissions to access the mounted directories (like CephFS) on the Proxmox host.

Let me know if you need further clarification!