Difference between revisions of "LXD/What are subuids and subgids?"

When setting up LXD, one of the things you must do for unprivileged container configuration is to set up two files, /etc/subuid and /etc/subgid. These files assign "sub-uids" and "sub-gids" to a specific user. But what are subuids and subgids anyway? This page is here to try to explain what they are and how they work.

Introduction

There is a little-used feature called "subuids" and "subgids" that is used by LXD. It's best to think about it this way. In Linux, every user has a primary user id and group id. This is easy to understand, so we will build on this concept. When a user creates a file, it is owned by their user id on disk, and when they run a process, it is run under the context of their user id.

/etc/subuid and /etc/subgid let you assign extra user ids and group ids to a particular user. The files have the format of:

username:start:count

Above, "username" would be the literal username, "start" would be a UID or GID starting number, and "count" would be the number of ids to assign.

I'm Still Confused -- What are these things?

When you assign additional user ids or group ids to a user, they become reserved for use exclusively by that user. This means that the range of ids you assign are no longer available for use by other users.

It also means that the user to which they are assigned now 'owns' these ids, so that the user can change ownership of files to be owned by these ids, and run processes under these ids.

While we tend to get used to the idea of each user only having one id to work with, the concept itself is actually not that confusing. /etc/subuid and /etc/subgid just allow you to assign blocks of ids to users in bulk, and /etc/subuid is kind of interesting because we aren't used to the idea of a user having more than one user id.