Florian Weimer
2019-07-16 21:30:04 UTC
Reply
PermalinkPackage name : fuidshift
Version : 3.0
URL : https://github.com/lxc/lxd/tree/master/fuidshift
License : Apache 2.0
Programming Lang: Go
Description : remap a filesystem tree to shift one set of UID/GID
ranges to another
Fuidshift is useful for converting privileged containers to
unprivileged ones, and also to adapt a container master to multiple
users' authorised subuid and subguid ranges. It also sounds like it
might be useful for fixing up cases where --numeric-owner should have
been used, but where it would be too labour-intensive to manually chown.
https://github.com/BenSartor/unprivileged-lxc-containers
This tool lets you remap a filesystem tree, switching it from one
set of UID/GID ranges to another.
This is mostly useful when retrieving a wrongly shifted filesystem tree
from a backup or broken system and having to remap everything either to
the host UID/GID range (uid/gid 0 is root) or to an existing container's
range.
A range is represented as <u|b|g>:<first_container_id>:<first_host_id>:<size>.
Where "u" means shift uid, "g" means shift gid and "b" means shift
uid and gid.
https://github.com/lxc/lxd/blob/81b81b9ace3064c8065319f4e984378244587d80/fuidshift/main_shift.go#L26-L36
It's part of the LXD project, but I'm not sure if it's as difficult to
package as LXD itself, which is one reason why I've CCed the Go team.
I also wonder if the best way to get this into Debian would be a
src:lxd that produces bin:fuidshift.
How does this compare to (or interact with) newuidmap and newgidmapVersion : 3.0
URL : https://github.com/lxc/lxd/tree/master/fuidshift
License : Apache 2.0
Programming Lang: Go
Description : remap a filesystem tree to shift one set of UID/GID
ranges to another
Fuidshift is useful for converting privileged containers to
unprivileged ones, and also to adapt a container master to multiple
users' authorised subuid and subguid ranges. It also sounds like it
might be useful for fixing up cases where --numeric-owner should have
been used, but where it would be too labour-intensive to manually chown.
https://github.com/BenSartor/unprivileged-lxc-containers
This tool lets you remap a filesystem tree, switching it from one
set of UID/GID ranges to another.
This is mostly useful when retrieving a wrongly shifted filesystem tree
from a backup or broken system and having to remap everything either to
the host UID/GID range (uid/gid 0 is root) or to an existing container's
range.
A range is represented as <u|b|g>:<first_container_id>:<first_host_id>:<size>.
Where "u" means shift uid, "g" means shift gid and "b" means shift
uid and gid.
https://github.com/lxc/lxd/blob/81b81b9ace3064c8065319f4e984378244587d80/fuidshift/main_shift.go#L26-L36
It's part of the LXD project, but I'm not sure if it's as difficult to
package as LXD itself, which is one reason why I've CCed the Go team.
I also wonder if the best way to get this into Debian would be a
src:lxd that produces bin:fuidshift.
from uidmap?
There's a push to force uidmap on everyone, with tight integration
into NSS. If there's a competing scheme, it would be helpful to know
about it.