Botched containers after experimenting with security.idmap.isolated

Aleks · December 3, 2025, 1:27pm

i wanted my containers to have different ids to avoid nproc limit issues and did this:

lxc config set artemis2 security.idmap.isolated=true
lxc start artemis2
artemis2: error: Failed to handle idmapped storage: invalid argument - Failed to change ACLs on /var/snap/lxd/common/lxd/storage-pools/ee/containers/artemis2/rootfs/var/log/journal
artemis2: Try lxc info --show-log artemis2 for more info

lxc info --show-log artemis2 said

lxc artemis2 20251203125722.135 WARN attach - …/src/src/lxc/attach.c:get_attach_context:478 - No security context received

so I rolled back, i.e

lxc config artemis2 unset security.idmap.isolated
lxc start artemis2

it now starts without errors, but it seems to have root fs mounted read only and all uids messed up

[root@artemis2 ~]# ls -nl /
total 33
dr-xr-xr-x 2 65534 65534 2 Jun 25 2024 afs
lrwxrwxrwx 1 65534 65534 7 Jun 25 2024 bin → usr/bin
dr-xr-xr-x 2 65534 65534 2 Jun 25 2024 boot
drwxr-xr-x 8 0 0 520 Dec 3 14:16 dev
drwxr-xr-x 89 65534 65534 204 Oct 8 13:40 etc
drwxr-xr-x 7 65534 65534 7 Dec 5 2024 home
lrwxrwxrwx 1 65534 65534 7 Jun 25 2024 lib → usr/lib
lrwxrwxrwx 1 65534 65534 9 Jun 25 2024 lib64 → usr/lib64
drwxr-xr-x 3 65534 65534 3 Dec 6 2024 log
drwxr-xr-x 2 65534 65534 2 Jun 25 2024 media
drwxr-xr-x 2 65534 65534 2 Jun 25 2024 mnt
drwxr-xr-x 3 65534 65534 3 Dec 6 2024 opt
dr-xr-xr-x 635 65534 65534 0 Dec 3 14:16 proc
dr-xr-x— 4 65534 65534 14 Dec 2 15:12 root
drwxr-xr-x 12 0 0 280 Dec 3 14:16 run
lrwxrwxrwx 1 65534 65534 8 Jun 25 2024 sbin → usr/sbin
drwxrwxrwt 7 0 0 7 May 26 2025 scratch
drwxr-xr-x 2 65534 65534 3 Dec 5 2024 selinux
drwxr-xr-x 2 65534 65534 2 Jun 25 2024 srv
dr-xr-xr-x 13 65534 65534 0 Dec 3 14:16 sys
drwxrwxrwt 11 65534 65534 11 Dec 3 14:16 tmp
drwxr-xr-x 12 65534 65534 13 Dec 5 2024 usr
drwxr-xr-x 18 65534 65534 22 Dec 5 2024 var
[root@artemis2 ~]# touch /aa
touch: cannot touch ‘/aa’: Permission denied

lxd is 5.21.4 LTS on centos 8 streams kernel 4.18.0-553.6.1.el8.x86_64

i have mounted the storage manually and permissions uids ok there

[root@lxd4 ~]# mount -t zfs lxd4/lxd/containers/artemis2 /mnt/
[root@lxd4 ~]# ls -al /mnt/rootfs/
afs/ bin/ dev/ home/ lib64/ media/ opt/ root/ sbin/ selinux/ sys/ usr/
.autorelabel boot/ etc/ lib/ log/ mnt/ proc/ run/ scratch/ srv/ tmp/ var/
[root@lxd4 ~]# ls -al /mnt/rootfs/
total 38
drwxr-xr-x 21 root root 26 Dec 6 2024 .
d–x------ 4 1000000 root 6 Dec 5 2024 …
dr-xr-xr-x 2 root root 2 Jun 25 2024 afs
-rw-r–r-- 1 root root 0 Dec 5 2024 .autorelabel
lrwxrwxrwx 1 root root 7 Jun 25 2024 bin → usr/bin
dr-xr-xr-x 2 root root 2 Jun 25 2024 boot
drwxr-xr-x 2 root root 2 Dec 5 2024 dev
drwxr-xr-x 89 root root 204 Oct 8 13:40 etc
drwxr-xr-x 7 root root 7 Dec 5 2024 home

any ideas?