I don't understand some aspects of lxc containers like the correct usage of user namespaces when creating unprivileged lxc-containers. I am trying to create an unprivileged alpine-linux container using lxc 1:3.1.0-2 on a Raspberry Pi 3B running 4.19.58-1-ARCH ARM.
I followed
these steps. I enabled user namespaces and set up a network bridge successfully. When it comes to user subuid mapping i fail to comprehend.
As far as i understand /etc/subuid enables the user <user>, who runs the unprivileged container, to map to uid 100000-165536 (wich would be uid 0-65536 on the container) on the host machine in this example:
Code:
<user>:100000:65536
Same goes for /etc/subgid.
Is it recommended to create an extra user on the host machine to run the container in the first place or can i run the container with my "standard" user with the uid 1000?
Do i create the follow-up-users that the users in the container point to or is that managed by lxc?
I assume there are further steps to be done to create an enviroment for the unprivileged container like copying templates or config files to the users home directory or am i completely on the wrong track here?