| Server IP : 103.161.17.216 / Your IP : 216.73.216.1 Web Server : nginx/1.18.0 System : Linux tipsysaigoncharming 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64 User : www-data ( 33) PHP Version : 7.4.3-4ubuntu2.29 Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare, MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : OFF | Sudo : ON | Pkexec : ON Directory : /snap/lxd/current/share/lxd-documentation/userns-idmap/ |
Upload File : |
<!doctype html>
<html class="no-js" lang="en" data-content_root="../">
<head><meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="color-scheme" content="light dark"><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta property="og:title" content="Idmaps for user namespace" />
<meta property="og:type" content="website" />
<meta property="og:url" content="/userns-idmap/" />
<meta property="og:site_name" content="LXD documentation" />
<meta property="og:description" content="LXD runs safe containers. This is achieved mostly through the use of user namespaces which make it possible to run containers unprivileged, greatly limiting the attack surface. User namespaces work..." />
<meta property="og:image" content="https://documentation.ubuntu.com/lxd/latest/_static/lxd_tag.png" />
<meta property="og:image:alt" content="LXD documentation" />
<meta name="description" content="LXD runs safe containers. This is achieved mostly through the use of user namespaces which make it possible to run containers unprivileged, greatly limiting the attack surface. User namespaces work..." />
<meta property="article:modified_time" content="2026-02-24T08:22:31+00:00" /><link rel="index" title="Index" href="../genindex/"><link rel="search" title="Search" href="../search/"><link rel="next" title="OVN implementation" href="../reference/ovn-internals/"><link rel="prev" title="System call interception" href="../syscall-interception/">
<link rel="canonical" href="/userns-idmap/">
<link rel="shortcut icon" href="../_static/favicon.ico"><!-- Generated with Sphinx 7.4.7 and Furo 2025.12.19 -->
<title>Idmaps for user namespace - LXD documentation</title>
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=d111a655" />
<link rel="stylesheet" type="text/css" href="../_static/styles/furo.css?v=7bdb33bb" />
<link rel="stylesheet" type="text/css" href="../_static/copybutton.css?v=76b2166b" />
<link rel="stylesheet" type="text/css" href="../_static/config-options.css" />
<link rel="stylesheet" type="text/css" href="../_static/related-links.css" />
<link rel="stylesheet" type="text/css" href="../_static/terminal.css" />
<link rel="stylesheet" type="text/css" href="../_static/youtube.css" />
<link rel="stylesheet" type="text/css" href="../_static/sphinx-design.min.css?v=95c83b7e" />
<link rel="stylesheet" type="text/css" href="../_static/styles/furo-extensions.css?v=8dab3a3b" />
<link rel="stylesheet" type="text/css" href="../_static/lxd_custom.css?v=bfbf4da2" />
<link rel="stylesheet" type="text/css" href="../_static/cookie-banner.css?v=b74831ab" />
<link rel="stylesheet" type="text/css" href="../_static/custom.css?v=e189117a" />
<link rel="stylesheet" type="text/css" href="../_static/header.css?v=a8078839" />
<link rel="stylesheet" type="text/css" href="../_static/github_issue_links.css?v=3d761185" />
<link rel="stylesheet" type="text/css" href="../_static/furo_colors.css?v=825fec6f" />
</head>
<body>
<header id="header" class="p-navigation">
<!-- Google Tag Manager -->
<script>
(function(w, d, s, l, i) {
w[l] = w[l] || [];
w[l].push({
'gtm.start': new Date().getTime(),
event: 'gtm.js'
});
var f = d.getElementsByTagName(s)[0];
var j = d.createElement(s);
var dl = '';
if (l != 'dataLayer') {
dl = '&l=' + l;
}
j.async = true;
j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-KNX3CJC');
</script>
<div class="p-navigation__nav" role="menubar">
<ul class="p-navigation__links" role="menu">
<li>
<a class="p-logo" href="https://canonical.com/lxd" aria-current="page">
<img src="../_static/lxd_tag.png" alt="Logo" class="p-logo-image">
<div class="p-logo-text p-heading--4">LXD
</div>
</a>
</li>
<li class="nav-ubuntu-com">
<a href="https://canonical.com/lxd" class="p-navigation__link">canonical.com/lxd</a>
</li>
<li class="nav-dropdown">
<a href="#" class="p-navigation__link nav-more-links"
id="more-resources-toggle"
aria-haspopup="true"
aria-expanded="false">
More resources
</a>
<ul class="more-links-dropdown" aria-labelledby="more-resources-toggle">
<li>
<a href="https://discourse.ubuntu.com/c/lxd/" class="p-navigation__sub-link p-dropdown__link">Discourse</a>
</li>
<li>
<a href="https://matrix.to/#/#documentation:ubuntu.com" class="p-navigation__sub-link p-dropdown__link">Matrix</a>
</li>
<li>
<a href="https://github.com/canonical/lxd" class="p-navigation__sub-link p-dropdown__link">GitHub</a>
</li>
</ul>
</li>
</ul>
</div>
</header>
<script>
document.body.dataset.theme = localStorage.getItem("theme") || "auto";
</script>
<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
<symbol id="svg-toc" viewBox="0 0 24 24">
<title>Contents</title>
<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 1024 1024">
<path d="M408 442h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8zm-8 204c0 4.4 3.6 8 8 8h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56zm504-486H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 632H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM115.4 518.9L271.7 642c5.8 4.6 14.4.5 14.4-6.9V388.9c0-7.4-8.5-11.5-14.4-6.9L115.4 505.1a8.74 8.74 0 0 0 0 13.8z"/>
</svg>
</symbol>
<symbol id="svg-menu" viewBox="0 0 24 24">
<title>Menu</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-menu">
<line x1="3" y1="12" x2="21" y2="12"></line>
<line x1="3" y1="6" x2="21" y2="6"></line>
<line x1="3" y1="18" x2="21" y2="18"></line>
</svg>
</symbol>
<symbol id="svg-arrow-right" viewBox="0 0 24 24">
<title>Expand</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-chevron-right">
<polyline points="9 18 15 12 9 6"></polyline>
</svg>
</symbol>
<symbol id="svg-sun" viewBox="0 0 24 24">
<title>Light mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="feather-sun">
<circle cx="12" cy="12" r="5"></circle>
<line x1="12" y1="1" x2="12" y2="3"></line>
<line x1="12" y1="21" x2="12" y2="23"></line>
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
<line x1="1" y1="12" x2="3" y2="12"></line>
<line x1="21" y1="12" x2="23" y2="12"></line>
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
</svg>
</symbol>
<symbol id="svg-moon" viewBox="0 0 24 24">
<title>Dark mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-moon">
<path stroke="none" d="M0 0h24v24H0z" fill="none" />
<path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z" />
</svg>
</symbol>
<symbol id="svg-sun-with-moon" viewBox="0 0 24 24">
<title>Auto light/dark, in light mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
class="icon-custom-derived-from-feather-sun-and-tabler-moon">
<path style="opacity: 50%" d="M 5.411 14.504 C 5.471 14.504 5.532 14.504 5.591 14.504 C 3.639 16.319 4.383 19.569 6.931 20.352 C 7.693 20.586 8.512 20.551 9.25 20.252 C 8.023 23.207 4.056 23.725 2.11 21.184 C 0.166 18.642 1.702 14.949 4.874 14.536 C 5.051 14.512 5.231 14.5 5.411 14.5 L 5.411 14.504 Z"/>
<line x1="14.5" y1="3.25" x2="14.5" y2="1.25"/>
<line x1="14.5" y1="15.85" x2="14.5" y2="17.85"/>
<line x1="10.044" y1="5.094" x2="8.63" y2="3.68"/>
<line x1="19" y1="14.05" x2="20.414" y2="15.464"/>
<line x1="8.2" y1="9.55" x2="6.2" y2="9.55"/>
<line x1="20.8" y1="9.55" x2="22.8" y2="9.55"/>
<line x1="10.044" y1="14.006" x2="8.63" y2="15.42"/>
<line x1="19" y1="5.05" x2="20.414" y2="3.636"/>
<circle cx="14.5" cy="9.55" r="3.6"/>
</svg>
</symbol>
<symbol id="svg-moon-with-sun" viewBox="0 0 24 24">
<title>Auto light/dark, in dark mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
class="icon-custom-derived-from-feather-sun-and-tabler-moon">
<path d="M 8.282 7.007 C 8.385 7.007 8.494 7.007 8.595 7.007 C 5.18 10.184 6.481 15.869 10.942 17.24 C 12.275 17.648 13.706 17.589 15 17.066 C 12.851 22.236 5.91 23.143 2.505 18.696 C -0.897 14.249 1.791 7.786 7.342 7.063 C 7.652 7.021 7.965 7 8.282 7 L 8.282 7.007 Z"/>
<line style="opacity: 50%" x1="18" y1="3.705" x2="18" y2="2.5"/>
<line style="opacity: 50%" x1="18" y1="11.295" x2="18" y2="12.5"/>
<line style="opacity: 50%" x1="15.316" y1="4.816" x2="14.464" y2="3.964"/>
<line style="opacity: 50%" x1="20.711" y1="10.212" x2="21.563" y2="11.063"/>
<line style="opacity: 50%" x1="14.205" y1="7.5" x2="13.001" y2="7.5"/>
<line style="opacity: 50%" x1="21.795" y1="7.5" x2="23" y2="7.5"/>
<line style="opacity: 50%" x1="15.316" y1="10.184" x2="14.464" y2="11.036"/>
<line style="opacity: 50%" x1="20.711" y1="4.789" x2="21.563" y2="3.937"/>
<circle style="opacity: 50%" cx="18" cy="7.5" r="2.169"/>
</svg>
</symbol>
<symbol id="svg-pencil" viewBox="0 0 24 24">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-pencil-code">
<path d="M4 20h4l10.5 -10.5a2.828 2.828 0 1 0 -4 -4l-10.5 10.5v4" />
<path d="M13.5 6.5l4 4" />
<path d="M20 21l2 -2l-2 -2" />
<path d="M17 17l-2 2l2 2" />
</svg>
</symbol>
<symbol id="svg-eye" viewBox="0 0 24 24">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-eye-code">
<path stroke="none" d="M0 0h24v24H0z" fill="none" />
<path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
<path
d="M11.11 17.958c-3.209 -.307 -5.91 -2.293 -8.11 -5.958c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6c-.21 .352 -.427 .688 -.647 1.008" />
<path d="M20 21l2 -2l-2 -2" />
<path d="M17 17l-2 2l2 2" />
</svg>
</symbol>
</svg>
<input type="checkbox" class="sidebar-toggle" name="__navigation" id="__navigation" aria-label="Toggle site navigation sidebar">
<input type="checkbox" class="sidebar-toggle" name="__toc" id="__toc" aria-label="Toggle table of contents sidebar">
<label class="overlay sidebar-overlay" for="__navigation"></label>
<label class="overlay toc-overlay" for="__toc"></label>
<a class="skip-to-content muted-link" href="#furo-main-content">Skip to content</a>
<div class="page">
<header class="mobile-header">
<div class="header-left">
<label class="nav-overlay-icon" for="__navigation">
<span class="icon"><svg><use href="#svg-menu"></use></svg></span>
</label>
</div>
<div class="header-center">
<a href="../"><div class="brand">LXD documentation</div></a>
</div>
<div class="header-right">
<div class="theme-toggle-container theme-toggle-header">
<button class="theme-toggle" aria-label="Toggle Light / Dark / Auto color theme">
<svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
<svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
<svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
</button>
</div>
<label class="toc-overlay-icon toc-header-icon" for="__toc">
<span class="icon"><svg><use href="#svg-toc"></use></svg></span>
</label>
</div>
</header>
<aside class="sidebar-drawer">
<div class="sidebar-container">
<div class="sidebar-sticky"><a class="sidebar-brand" href="../">
<span class="sidebar-brand-text">LXD documentation</span>
</a><form class="sidebar-search-container" method="get" action="../search/" role="search">
<input class="sidebar-search" placeholder="Search" name="q" aria-label="Search">
<input type="submit" value="Go">
<input type="hidden" name="check_keywords" value="yes">
<input type="hidden" name="area" value="default">
</form>
<div id="searchbox"></div><div class="sidebar-scroll"><div class="sidebar-tree">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../">LXD</a></li>
<li class="toctree-l1"><a class="reference internal" href="../tutorial/first_steps/">Tutorial</a></li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../howto/">How-to guides</a><input aria-label="Toggle navigation of How-to guides" class="toctree-checkbox" id="toctree-checkbox-1" name="toctree-checkbox-1" role="switch" type="checkbox"/><label for="toctree-checkbox-1"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l2 has-children"><a class="reference internal" href="../getting_started/">Getting started</a><input aria-label="Toggle navigation of Getting started" class="toctree-checkbox" id="toctree-checkbox-2" name="toctree-checkbox-2" role="switch" type="checkbox"/><label for="toctree-checkbox-2"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../installing/">Install LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/initialize/">Initialize LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/access_ui/">Access the UI</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/access_documentation/">Access documentation locally</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../operation/">LXD server and client</a><input aria-label="Toggle navigation of LXD server and client" class="toctree-checkbox" id="toctree-checkbox-3" name="toctree-checkbox-3" role="switch" type="checkbox"/><label for="toctree-checkbox-3"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../howto/server_expose/">Expose LXD to the network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/server_configure/">Configure the LXD server</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../howto/oidc/">Configure single sign-on with OIDC</a><input aria-label="Toggle navigation of Configure single sign-on with OIDC" class="toctree-checkbox" id="toctree-checkbox-4" name="toctree-checkbox-4" role="switch" type="checkbox"/><label for="toctree-checkbox-4"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../howto/oidc_auth0/">How to configure Auth0</a></li>
<li class="toctree-l4"><a class="reference internal" href="../howto/oidc_ory/">How to configure Ory Hydra</a></li>
<li class="toctree-l4"><a class="reference internal" href="../howto/oidc_keycloak/">How to configure Keycloak</a></li>
<li class="toctree-l4"><a class="reference internal" href="../howto/oidc_entra_id/">How to configure Entra ID</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../remotes/">Add remote servers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/lxc_alias/">Add command aliases</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../instances/">Instances</a><input aria-label="Toggle navigation of Instances" class="toctree-checkbox" id="toctree-checkbox-5" name="toctree-checkbox-5" role="switch" type="checkbox"/><label for="toctree-checkbox-5"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_create/">Create instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_configure/">Configure instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_manage/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../profiles/">Use profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_troubleshoot/">Troubleshoot errors</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_ubuntu_pro_attach/">Auto attach Ubuntu Pro</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_access_files/">Access files</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_console/">Access the console</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instance-exec/">Run commands</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cloud-init/">Use cloud-init</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_routed_nic_vm/">Add a routed NIC to a VM</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_backup/">Back up instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_migrate/">Migrate instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/import_machines_to_instances/">Import existing machines</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/container_gpu_passthrough_with_docker/">Pass NVIDIA GPUs</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../images/">Images</a><input aria-label="Toggle navigation of Images" class="toctree-checkbox" id="toctree-checkbox-6" name="toctree-checkbox-6" role="switch" type="checkbox"/><label for="toctree-checkbox-6"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../howto/images_remote/">Use remote images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/images_manage/">Manage images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/images_profiles/">Associate profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/images_copy/">Copy and import images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/images_create/">Create images</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../projects/">Projects</a><input aria-label="Toggle navigation of Projects" class="toctree-checkbox" id="toctree-checkbox-7" name="toctree-checkbox-7" role="switch" type="checkbox"/><label for="toctree-checkbox-7"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../howto/projects_create/">Create and configure</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/projects_work/">Work with projects</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/projects_confine/">Confine users to projects</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../storage/">Storage</a><input aria-label="Toggle navigation of Storage" class="toctree-checkbox" id="toctree-checkbox-8" name="toctree-checkbox-8" role="switch" type="checkbox"/><label for="toctree-checkbox-8"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../howto/storage_pools/">Manage pools</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/storage_volumes/">Manage volumes</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/storage_buckets/">Manage buckets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/storage_create_instance/">Create an instance in a pool</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/storage_backup_volume/">Back up a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/storage_move_volume/">Move or copy a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/storage_csi/">Use the LXD CSI driver with Kubernetes</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../networks/">Networking</a><input aria-label="Toggle navigation of Networking" class="toctree-checkbox" id="toctree-checkbox-9" name="toctree-checkbox-9" role="switch" type="checkbox"/><label for="toctree-checkbox-9"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_create/">Create a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_configure/">Configure a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_bgp/">Configure as BGP server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_acls/">Configure network ACLs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_forwards/">Configure forwards</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_zones/">Configure network zones</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_bridge_resolved/">Integrate with resolved</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_ovn_setup/">Set up OVN</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_load_balancers/">Configure load balancers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_ovn_peers/">Configure peer routing</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_ipam/">Display IPAM information</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../clustering/">Clustering</a><input aria-label="Toggle navigation of Clustering" class="toctree-checkbox" id="toctree-checkbox-10" name="toctree-checkbox-10" role="switch" type="checkbox"/><label for="toctree-checkbox-10"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../howto/cluster_form/">Form a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/cluster_manage/">Manage a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/cluster_config_networks/">Configure networks</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/cluster_config_storage/">Configure storage</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/cluster_manage_instance/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/cluster_groups/">Set up cluster groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/cluster_placement_groups/">Use placement groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/cluster_recover/">Recover a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/cluster_vip/">Set up a highly available virtual IP</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../production-setup/">Production setup</a><input aria-label="Toggle navigation of Production setup" class="toctree-checkbox" id="toctree-checkbox-11" name="toctree-checkbox-11" role="switch" type="checkbox"/><label for="toctree-checkbox-11"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../howto/benchmark_performance/">Benchmark performance</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_increase_bandwidth/">Increase bandwidth</a></li>
<li class="toctree-l3"><a class="reference internal" href="../metrics/">Monitor metrics</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/logs_loki/">Send logs to Loki</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/grafana/">Set up Grafana</a></li>
<li class="toctree-l3"><a class="reference internal" href="../backup/">Back up a server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/disaster_recovery/">Recover instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/disaster_recovery_replication/">Disaster recovery with storage replication</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../howto/snap/">Manage the snap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../howto/security_harden/">Harden security</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../howto/troubleshoot/">Troubleshooting</a><input aria-label="Toggle navigation of Troubleshooting" class="toctree-checkbox" id="toctree-checkbox-12" name="toctree-checkbox-12" role="switch" type="checkbox"/><label for="toctree-checkbox-12"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../howto/network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/instances_troubleshoot/">Troubleshoot instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../howto/dqlite_troubleshoot/">Troubleshoot Dqlite</a></li>
<li class="toctree-l3"><a class="reference internal" href="../debugging/">Debug LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../faq/">Frequently asked</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../support/">Get support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../contributing/">Contribute to LXD</a></li>
<li class="toctree-l2"><a class="reference internal" href="../howto/auth_bearer/">How to authenticate to the LXD API using bearer tokens</a></li>
<li class="toctree-l2"><a class="reference internal" href="../howto/devlxd_authenticate/">How to authenticate to the DevLXD API</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../explanation/">Explanation</a><input aria-label="Toggle navigation of Explanation" class="toctree-checkbox" id="toctree-checkbox-13" name="toctree-checkbox-13" role="switch" type="checkbox"/><label for="toctree-checkbox-13"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../explanation/lxd_lxc/"><code class="docutils literal notranslate"><span class="pre">lxd</span></code> and <code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/instances/">Containers and VMs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../image-handling/">Local and remote images</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/storage/">Storage pools, volumes, and buckets</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/networks/">Networking setups</a></li>
<li class="toctree-l2"><a class="reference internal" href="../database/">The LXD Dqlite database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/lxc_show_info/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">show</span></code> and <code class="docutils literal notranslate"><span class="pre">info</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../authentication/">Remote API authentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/authorization/">Remote API authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/projects/">Instances grouping with projects</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/clusters/">Clusters</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/performance_tuning/">Performance tuning</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/security/">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/bpf/">Privilege delegation using BPF Token</a></li>
<li class="toctree-l2"><a class="reference internal" href="../explanation/csi/">The LXD CSI driver</a></li>
</ul>
</li>
<li class="toctree-l1 current has-children"><a class="reference internal" href="../reference/">Reference</a><input aria-label="Toggle navigation of Reference" checked="" class="toctree-checkbox" id="toctree-checkbox-14" name="toctree-checkbox-14" role="switch" type="checkbox"/><label for="toctree-checkbox-14"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul class="current">
<li class="toctree-l2"><a class="reference internal" href="../requirements/">Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="../architectures/">Architectures</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../reference/release-notes/">Release notes</a><input aria-label="Toggle navigation of Release notes" class="toctree-checkbox" id="toctree-checkbox-15" name="toctree-checkbox-15" role="switch" type="checkbox"/><label for="toctree-checkbox-15"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../reference/release-notes/release-notes-6.7/">LXD 6.7</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/release-notes/release-notes-6.6/">LXD 6.6</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../reference/releases-snap/">Releases and snap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../reference/remote_image_servers/">Remote image servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../reference/image_format/">Image format</a></li>
<li class="toctree-l2"><a class="reference internal" href="../guest-os-compatibility/">Guest OS compatibility</a></li>
<li class="toctree-l2"><a class="reference internal" href="../container-environment/">Container environment</a></li>
<li class="toctree-l2"><a class="reference internal" href="../config-options/">Configuration option index</a></li>
<li class="toctree-l2"><a class="reference internal" href="../server/">Server configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../explanation/instance_config/">Instance configuration</a><input aria-label="Toggle navigation of Instance configuration" class="toctree-checkbox" id="toctree-checkbox-16" name="toctree-checkbox-16" role="switch" type="checkbox"/><label for="toctree-checkbox-16"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../reference/instance_properties/">Instance properties</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/instance_options/">Instance options</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../reference/devices/">Devices</a><input aria-label="Toggle navigation of Devices" class="toctree-checkbox" id="toctree-checkbox-17" name="toctree-checkbox-17" role="switch" type="checkbox"/><label for="toctree-checkbox-17"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../reference/standard_devices/">Standard devices</a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_none/">Type: <code class="docutils literal notranslate"><span class="pre">none</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_nic/">Type: <code class="docutils literal notranslate"><span class="pre">nic</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_disk/">Type: <code class="docutils literal notranslate"><span class="pre">disk</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_unix_char/">Type: <code class="docutils literal notranslate"><span class="pre">unix-char</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_unix_block/">Type: <code class="docutils literal notranslate"><span class="pre">unix-block</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_usb/">Type: <code class="docutils literal notranslate"><span class="pre">usb</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_gpu/">Type: <code class="docutils literal notranslate"><span class="pre">gpu</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_infiniband/">Type: <code class="docutils literal notranslate"><span class="pre">infiniband</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_proxy/">Type: <code class="docutils literal notranslate"><span class="pre">proxy</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_unix_hotplug/">Type: <code class="docutils literal notranslate"><span class="pre">unix-hotplug</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_tpm/">Type: <code class="docutils literal notranslate"><span class="pre">tpm</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../reference/devices_pci/">Type: <code class="docutils literal notranslate"><span class="pre">pci</span></code></a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../reference/instance_units/">Units for storage and network limits</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../reference/preseed_yaml_fields/">Preseed YAML file fields</a></li>
<li class="toctree-l2"><a class="reference internal" href="../reference/projects/">Project configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../reference/storage_drivers/">Storage drivers</a><input aria-label="Toggle navigation of Storage drivers" class="toctree-checkbox" id="toctree-checkbox-18" name="toctree-checkbox-18" role="switch" type="checkbox"/><label for="toctree-checkbox-18"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_dir/">Directory - <code class="docutils literal notranslate"><span class="pre">dir</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_btrfs/">Btrfs - <code class="docutils literal notranslate"><span class="pre">btrfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_lvm/">LVM - <code class="docutils literal notranslate"><span class="pre">lvm</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_zfs/">ZFS - <code class="docutils literal notranslate"><span class="pre">zfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_ceph/">Ceph RBD - <code class="docutils literal notranslate"><span class="pre">ceph</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_powerflex/">Dell PowerFlex - <code class="docutils literal notranslate"><span class="pre">powerflex</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_pure/">Pure Storage - <code class="docutils literal notranslate"><span class="pre">pure</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_alletra/">HPE Alletra - <code class="docutils literal notranslate"><span class="pre">alletra</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_cephfs/">CephFS - <code class="docutils literal notranslate"><span class="pre">cephfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/storage_cephobject/">Ceph Object - <code class="docutils literal notranslate"><span class="pre">cephobject</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../reference/networks/">Networks</a><input aria-label="Toggle navigation of Networks" class="toctree-checkbox" id="toctree-checkbox-19" name="toctree-checkbox-19" role="switch" type="checkbox"/><label for="toctree-checkbox-19"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../reference/network_bridge/">Bridge network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/network_ovn/">OVN network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/network_macvlan/">Macvlan network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/network_physical/">Physical network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/network_sriov/">SR-IOV network</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../reference/cluster_member_config/">Cluster configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../reference/placement_groups/">Placement group configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../reference/server_settings/">Production server settings</a></li>
<li class="toctree-l2"><a class="reference internal" href="../reference/provided_metrics/">Provided metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../reference/permissions/">Permissions</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../restapi_landing/">REST API</a><input aria-label="Toggle navigation of REST API" class="toctree-checkbox" id="toctree-checkbox-20" name="toctree-checkbox-20" role="switch" type="checkbox"/><label for="toctree-checkbox-20"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../rest-api/">Main API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../api/">Main API specification</a></li>
<li class="toctree-l3"><a class="reference internal" href="../api-extensions/">Main API extensions</a></li>
<li class="toctree-l3"><a class="reference internal" href="../events/">Events API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../dev-lxd/">Instance API</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../reference/driver_csi/">LXD CSI driver reference</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../reference/manpages/">Man pages</a><input aria-label="Toggle navigation of Man pages" class="toctree-checkbox" id="toctree-checkbox-21" name="toctree-checkbox-21" role="switch" type="checkbox"/><label for="toctree-checkbox-21"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../reference/manpages/lxc/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 current has-children"><a class="reference internal" href="../internals/">Internals</a><input aria-label="Toggle navigation of Internals" checked="" class="toctree-checkbox" id="toctree-checkbox-22" name="toctree-checkbox-22" role="switch" type="checkbox"/><label for="toctree-checkbox-22"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../environment/">Environment variables</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/uefi_variables/">UEFI variables for VMs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../daemon-behavior/">Daemon behavior</a></li>
<li class="toctree-l3"><a class="reference internal" href="../syscall-interception/">System call interception</a></li>
<li class="toctree-l3 current current-page"><a class="current reference internal" href="#">User namespace setup</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/ovn-internals/">OVN implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/vm_live_migration_internals/">VM live migration implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../reference/dqlite-internals/">Dqlite</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference external" href="https://github.com/canonical/lxd">Project repository</a></li>
<li class="toctree-l2"><a class="reference external" href="https://images.lxd.canonical.com">Image server</a></li>
</ul>
</li>
</ul>
</div>
</div>
</div>
</div>
</aside>
<div class="main">
<div class="content">
<div class="article-container">
<a href="#" class="back-to-top muted-link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"></path>
</svg>
<span>Back to top</span>
</a>
<div class="content-icon-container">
<div class="edit-this-page">
<a class="muted-link" href="https://github.com/canonical/lxd/edit/main/doc/userns-idmap.md" title="Contribute to this page">
<svg><use href="#svg-pencil"></use></svg>
<span class="visually-hidden">Contribute to this page</span>
</a>
</div><div class="theme-toggle-container theme-toggle-content">
<button class="theme-toggle" aria-label="Toggle Light / Dark / Auto color theme">
<svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
<svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
<svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
</button>
</div>
<label class="toc-overlay-icon toc-content-icon" for="__toc">
<span class="icon"><svg><use href="#svg-toc"></use></svg></span>
</label>
</div>
<article role="main" id="furo-main-content">
<section id="ref-idmap">
<span id="idmaps-for-user-namespace"></span><h1>Idmaps for user namespace<a class="headerlink" href="#ref-idmap" title="Link to this heading">¶</a></h1>
<p>LXD runs safe containers. This is achieved mostly through the use of
user namespaces which make it possible to run containers unprivileged,
greatly limiting the attack surface.</p>
<p>User namespaces work by mapping a set of UIDs and GIDs on the host to a
set of UIDs and GIDs in the container.</p>
<p>For example, we can define that the host UIDs and GIDs from 100000 to
165535 may be used by LXD and should be mapped to UID/GID 0 through
65535 in the container.</p>
<p>As a result a process running as UID 0 in the container will actually be
running as UID 100000.</p>
<p>Allocations should always be of at least 65536 UIDs and GIDs to cover
the POSIX range including root (0) and nobody (65534).</p>
<section id="kernel-support">
<h2>Kernel support<a class="headerlink" href="#kernel-support" title="Link to this heading">¶</a></h2>
<p>User namespaces require a kernel >= 3.12, LXD will start even on older
kernels but will refuse to start containers.</p>
</section>
<section id="allowed-ranges">
<span id="ref-idmap-allowed-ranges"></span><h2>Allowed ranges<a class="headerlink" href="#allowed-ranges" title="Link to this heading">¶</a></h2>
<div class="note admonition">
<p class="admonition-title">If you installed LXD via snap</p>
<p>If you <a class="reference internal" href="../installing/#installing-snap-package"><span class="std std-ref">installed LXD via the Snap Store</span></a> (the recommended method), this section does not apply.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">lxd</span></code> daemon runs as root inside the snap environment and does not use the <code class="docutils literal notranslate"><span class="pre">newuidmap</span></code> or <code class="docutils literal notranslate"><span class="pre">newgidmap</span></code> utilities. Thus, the allowed ID ranges in <code class="docutils literal notranslate"><span class="pre">/etc/subuid</span></code> and <code class="docutils literal notranslate"><span class="pre">/etc/subgid</span></code> are ignored, and you don’t need to set them.</p>
</div>
<p>On most hosts, LXD will check <code class="docutils literal notranslate"><span class="pre">/etc/subuid</span></code> and <code class="docutils literal notranslate"><span class="pre">/etc/subgid</span></code> for
allocations for the <code class="docutils literal notranslate"><span class="pre">root</span></code> user and on first start, set the default
profile to use the first 65536 UIDs and GIDs from that range.</p>
<p>If the range is shorter than 65536 (which includes no range at all),
then LXD will fail to create or start any container until this is corrected.</p>
<p>If some but not all of <code class="docutils literal notranslate"><span class="pre">/etc/subuid</span></code>, <code class="docutils literal notranslate"><span class="pre">/etc/subgid</span></code>, <code class="docutils literal notranslate"><span class="pre">newuidmap</span></code> (path lookup)
and <code class="docutils literal notranslate"><span class="pre">newgidmap</span></code> (path lookup) can be found on the system, LXD will fail
the startup of any container until this is corrected as this shows a
broken shadow setup.</p>
<p>If none of those files can be found, then LXD will assume a 1000000000
UID/GID range starting at a base UID/GID of 1000000.</p>
<p>This is the most common case and is usually the recommended setup when
not running on a system which also hosts fully unprivileged containers
(where the container runtime itself runs as a user).</p>
</section>
<section id="varying-ranges-between-hosts">
<h2>Varying ranges between hosts<a class="headerlink" href="#varying-ranges-between-hosts" title="Link to this heading">¶</a></h2>
<p>The source map is sent when moving containers between hosts so that they
can be remapped on the receiving host.</p>
</section>
<section id="different-idmaps-per-container">
<h2>Different idmaps per container<a class="headerlink" href="#different-idmaps-per-container" title="Link to this heading">¶</a></h2>
<p>LXD supports using different idmaps per container, to further isolate
containers from each other. This is controlled with two per-container
configuration keys, <a class="configref reference internal" href="../reference/instance_options/#instance-security:security.idmap.isolated"><code class="docutils literal notranslate"><span class="pre">security.idmap.isolated</span></code></a> and <a class="configref reference internal" href="../reference/instance_options/#instance-security:security.idmap.size"><code class="docutils literal notranslate"><span class="pre">security.idmap.size</span></code></a>.</p>
<p>Containers with <code class="docutils literal notranslate"><span class="pre">security.idmap.isolated</span></code> will have a unique ID range computed
for them among the other containers with <code class="docutils literal notranslate"><span class="pre">security.idmap.isolated</span></code> set (if none
is available, setting this key will simply fail).</p>
<p>Containers with <code class="docutils literal notranslate"><span class="pre">security.idmap.size</span></code> set will have their ID range set to this
size. Isolated containers without this property set default to a ID range of
size 65536; this allows for POSIX compliance and a <code class="docutils literal notranslate"><span class="pre">nobody</span></code> user inside the
container.</p>
<p>To select a specific map, the <code class="docutils literal notranslate"><span class="pre">security.idmap.base</span></code> key will let you
override the auto-detection mechanism and tell LXD what host UID/GID you
want to use as the base for the container.</p>
<p>These properties require a container reboot to take effect.</p>
</section>
<section id="custom-idmaps">
<h2>Custom idmaps<a class="headerlink" href="#custom-idmaps" title="Link to this heading">¶</a></h2>
<p>LXD also supports customizing bits of the idmap, e.g. to allow users to bind
mount parts of the host’s file system into a container without the need for any
UID-shifting file system. The per-container configuration key for this is
<a class="configref reference internal" href="../reference/instance_options/#instance-raw:raw.idmap"><code class="docutils literal notranslate"><span class="pre">raw.idmap</span></code></a>, and looks like:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>both 1000 1000
uid 50-60 500-510
gid 100000-110000 10000-20000
</pre></div>
</div>
<p>The first line configures both the UID and GID 1000 on the host to map to UID
1000 inside the container (this can be used for example to bind mount a user’s
home directory into a container).</p>
<p>The second and third lines map only the UID or GID ranges into the container,
respectively. The second entry per line is the source ID, i.e. the ID on the
host, and the third entry is the range inside the container. These ranges must
be the same size.</p>
<p>This property requires a container reboot to take effect.</p>
<p>For non-snap installations of LXD, you might need to add an entry for the <code class="docutils literal notranslate"><span class="pre">root</span></code> user into
<code class="docutils literal notranslate"><span class="pre">/etc/subuid</span></code> and/or <code class="docutils literal notranslate"><span class="pre">/etc/subgid</span></code> so the container is allowed to make use of it. See: <a class="reference internal" href="#ref-idmap-allowed-ranges"><span class="std std-ref">Allowed ranges</span></a>.</p>
</section>
</section>
</article>
</div>
<footer>
<div class="related-pages">
<a class="next-page" href="../reference/ovn-internals/">
<div class="page-info">
<div class="context">
<span>Next</span>
</div>
<div class="title">OVN implementation</div>
</div>
<svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
</a>
<a class="prev-page" href="../syscall-interception/">
<svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
<div class="page-info">
<div class="context">
<span>Previous</span>
</div>
<div class="title">System call interception</div>
</div>
</a>
</div>
<div class="bottom-of-page">
<div class="left-details">
<div class="copyright">
© 2014-2026 AGPL-3.0, LXD contributors
</div><div class="last-updated">
Last updated on Feb 24, 2026</div>
</div>
<div class="right-details">
<a href="" class="js-revoke-cookie-manager muted-link">Manage your tracker settings</a>
</div>
</footer>
</div>
<aside class="toc-drawer">
<div class="toc-sticky toc-scroll">
<div class="toc-title-container">
<span class="toc-title">
Contents
</span>
</div>
<div class="toc-tree-container">
<div class="toc-tree">
<ul>
<li><a class="reference internal" href="#">Idmaps for user namespace</a><ul>
<li><a class="reference internal" href="#kernel-support">Kernel support</a></li>
<li><a class="reference internal" href="#allowed-ranges">Allowed ranges</a></li>
<li><a class="reference internal" href="#varying-ranges-between-hosts">Varying ranges between hosts</a></li>
<li><a class="reference internal" href="#different-idmaps-per-container">Different idmaps per container</a></li>
<li><a class="reference internal" href="#custom-idmaps">Custom idmaps</a></li>
</ul>
</li>
</ul>
</div>
</div>
</div>
</aside>
</div>
</div><script src="../_static/jquery.js?v=5d32c60e"></script>
<script src="../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="../_static/documentation_options.js?v=a5603611"></script>
<script src="../_static/doctools.js?v=9a2dae69"></script>
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../_static/scripts/furo.js?v=46bd48cc"></script>
<script src="../_static/clipboard.min.js?v=a7894cd8"></script>
<script src="../_static/copybutton.js?v=b01cb6f2"></script>
<script src="../_static/config-options.js"></script>
<script src="../_static/design-tabs.js?v=f930bc37"></script>
<script src="../_static/js/bundle.js?v=a4d88309"></script>
<script src="../_static/header-nav.js?v=e117ad08"></script>
<script src="../_static/github_issue_links.js?v=32bb732f"></script>
<script>
const github_url = "https://github.com/canonical/lxd";
</script>
</body>
</html>