I'm trying to implement LXC with mapped uid/gid (user namespace) under Libvirt on CentOS 7 with full separate root mounted. Libvirt config snippet
<idmap>
<uid start='0' target='100000' count='65535'/>
<gid start='0' target='100000' count='65535'/>
</idmap>
<filesystem type='mount' accessmode='passthrough'>
<source dir='/var/lib/libvirt/lxc/test2'/>
<target dir='/'/>
</filesystem>
I changed ownership of files / directories inside /var/lib/libvirt/lxc/test2 and the container itself works fine (just a test container with bash script as /init running Apache and catching SIGTERM to stop Apache gracefully).
If I do ps aux
I see that container apps are running under user ID 100000
100000 7392 0.0 0.0 12476 2212 pts/0 Ss+ Feb17 0:20 /bin/sh /init
100000 7409 0.0 0.0 230408 3684 ? Ss Feb17 0:15 /usr/sbin/httpd
100048 7411 0.0 0.0 230544 3796 ? S Feb17 0:00 /usr/sbin/httpd
100048 7412 0.0 0.0 230544 3800 ? S Feb17 0:00 /usr/sbin/httpd
and I can see default Apache pages, so it's all good.
Now when I try to do virsh lxc-enter-namespace test2 /bin/bash
I'm getting bash running under unknown uid/gid inside the container
bash-4.2$ id
uid=65534 gid=65534 groups=65534
I see it as running as real root (uid/gid 0/0) in host system. /proc/$PID/uid_map is the same as for httpd processes running in container.
[root@lxctest ~]# cat /proc/21219/uid_map <- bash
0 100000 65535
[root@lxctest ~]# cat /proc/7413/uid_map <- apache
0 100000 65535
So mapping seems to be working, but libvirt (virsh) starts the process as incorrect user. User 100000 does not exist in host system of course.
So does anyone know how to attach (enter namespace) as user 100000 (container root)? Am I missing anything?