On 18/01/23 16:38, Max Nikulin wrote:
On 18/01/2023 03:52, Richard Hector wrote:On 17/01/23 23:52, Max Nikulin wrote:lxc.idmap = u 0 100000 1000 lxc.idmap = u 1000 1000 1lxc.mount.entry = /home/richard/sitename/doc_root srv/sitename/doc_root none bind,optional,create=dirMy goal is not to map container users to host users, but to allow a container user (human user) to access a directory as another container user (non-human owner of files). This should also be doable for multiple human users for the same site.Do you mean mapping several users (human and service ones) from a single container to the same host UID? The approach I suggested works for 1:1 mapping. Another technique is group permissions and ACLs, but I would not call it straightforward. A user may create a file that belongs to wrong group or inaccessible by another user.
I'll use more detail :-)I have a Wordpress site. The directory /srv/sitename/doc_root, and most of the directories under it, are owned by user 'sitename'.
PHP runs as 'sitename-run', which has access (via group 'sitename') to read all of that, but not write it. Some subdirectories, eg .../doc_root/wp-content/uploads, are group-writeable so that it can save things there.
An authorised site maintainer, eg me ('richard') (but there may be any number of others), needs to be able to write under /srv/sitename, so I use bindfs to mount /srv/sitename under /home/richard/sitename, which presents it as owned by me, and translates the ownership back to 'sitename' when I write to it. So each human user sees the site as owned by them, but it's all mapped to 'sitename' on the fly.
These users I guess map to host users, but I'm not particularly interested in that ... actually I should care more, because it actually maps to a real but unrelated user id on the host, which could have bad implications - but I think that's a separate issue.
I'm not ignoring the rest of your message; I'll look at that separately :-) Cheers, Richard