From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9CCBB74555 for ; Mon, 19 Apr 2021 02:53:48 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 98F84EC9D for ; Mon, 19 Apr 2021 02:53:48 +0200 (CEST) Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 6F6D1EC8F for ; Mon, 19 Apr 2021 02:53:44 +0200 (CEST) Received: by mail-pl1-x62e.google.com with SMTP id t22so16490493ply.1 for ; Sun, 18 Apr 2021 17:53:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=b3gBQtMFvXnmtedjIIl5oIDWkulzIz0QTa7CCbJzmZ8=; b=Z4erd89Z14E8e9nN3RH2k0CMQO+0PPaVWcJoPxwMvEDvsSCU9DerV7A2dkR3McjGFK zoMCRh480Hy+u03MBUXNXgjAD6+wU3sqMN4P+fnJRsKwBJwDUtIh6TFo4y3uGnEPFCZt mM9hpU4ujdCIbo8Omy5SFNS7A/D13yt/0hNpaTR0AiK/gvBqvuw0JA9ZXbepQIEq3ZGT ejE26Iu82PpO2XFPBQV6yhiukr36Ddlse6kkhBmlQzNuvWDyxxGRakvf4TKKMW6+kMkt IhaGKdeBQWuJbqvSL6FtGqA/RJja82xS3O24hBxDyy2iljubcLp750qP0Gdhw+tQZSQM ExRQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=b3gBQtMFvXnmtedjIIl5oIDWkulzIz0QTa7CCbJzmZ8=; b=Z8wKnlATwjWbyVjR/SGK8n01HNM5p+3L2l/pUR14BPGpaPQ6yCajWuePzfId6BgeLt GzYH0a+bcONQFJxgdSfofS6nF7Ve/TRciujjUgTX8QyvUmJq4u7T0/lSHMPbY4EcYs9C dtD5swUQWVOtUoyTrIFTeV8iDVaK3zMfB+5EuqEUa5Oj4/ldbM8JGlPO5p+PWrMX0yYG hnmlqFjNSIz6Vw1b3EbovSDocQmTygEPbgVVFEjKl1vRlCJc4xIaXLQKnr7jBSM40giy 08uqWY7Hga77eZola0equXY/N1ODDEWgWKHdsrsIFps5pyfFLAvxvPF7/JbfEIvHRm6v PGBQ== X-Gm-Message-State: AOAM533FpIFK16272Dg7qjAHMKQ+aOY3BKjfHQpIEmqTyX5w9G44vWpI nOru8+YCroiqeBchxrswzQq63a3mW+3TuA== X-Google-Smtp-Source: ABdhPJyKr9ZOjRfINWFSR39cjz/Rytx630FBP0tcjSw3TR8R+/hryr9Acms9JQj69HLpKuVnvtomhA== X-Received: by 2002:a17:90a:8b91:: with SMTP id z17mr21492719pjn.73.1618793616724; Sun, 18 Apr 2021 17:53:36 -0700 (PDT) Received: from [192.168.1.125] (167-179-176-9.a7b3b0.bne.nbn.aussiebb.net. [167.179.176.9]) by smtp.gmail.com with ESMTPSA id d4sm8803123pfv.76.2021.04.18.17.53.35 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 18 Apr 2021 17:53:36 -0700 (PDT) To: pve-user@lists.proxmox.com From: Lindsay Mathieson Message-ID: <190926b5-0c91-b8d3-e653-5425103c0c0d@gmail.com> Date: Mon, 19 Apr 2021 10:53:30 +1000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-SPAM-LEVEL: Spam detection results: 0 AWL 0.037 Adjusted score from AWL reputation of From: address DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [PVE-User] unpriviliged lxc uid/gid mappings X-BeenThere: pve-user@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE user list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2021 00:53:48 -0000 I must say, I find the subject very confusing and difficult to parse. It seems very difficult to setup with multiple user and container mappings to maintain - I just setup 4 containers with 4 bind mounts each and after a lot of fiddling, got them working, but I'm not confident on maintenance for the future. I had to give up on the container that needed access to 2 USB tuners and a Intel QuickSync GPU (vaapi), ended up running that container privileged. Is there any plans to simplify it for the future? I found the LXD (4.0?) system of raw.idmap settings much easier to setup, I was able to generically script that for containers. Not complaining, I'm very happy with the overall setup I have at home - PX Media Server and a PBS Server, much easier to maintain than my old setup, and disaster recovery exists now :) -- Lindsay