Hi, I use lxc-usernsexec to simulate root (and other users) for a non-root user.
lxc-usernsexec -m b:0:100000:65536 That then chroots into an overlayfs mounted using fuse. The lowerdir is a mounted squashfs, the upperdir is a regular directory. squashfuse rootimg.sqfs lower fuse-overlayfs -o lowerdir=lower,upperdir=upper,workdir=work mount This is all working nicely, and much faster than extracting a tarfile to generate the lowerdir which is what I used to do. But I have to jump through hoops to generate the lower sqfs. If I generate it while running under lxc so outside it looks like root owned files have owner 100000, to the generating process running under lxc they have owner root(0). When using tar it automatically did the necessary translations when extracting the archive back to the correct lxc uid. If I build the sqfs while inside lxc the sqfs gets the uid 0 for root owned files. The files in mount/root, for example are then not readable when it's mounted later. If I try to build it from outside lxc then I don't have permission to read mount/root at all so the files don't make it into the sqfs. I'm doing the following to ensure that the sqfs files have the correct ownership when I come to mount it: for (( i = 0 ; i < 65536 ; i++ )); do echo "+$i +$(( i + 100000 ))"; done >mapfile tar -C root --numeric-owner --owner-map=mapfile --group-map=mapfile --one-file-system -cf - . | tar2sqfs -q root.sqfs This maps the 0-65535 uids that are seen inside lxc back to the 100000-165535 uids that are used outside of lxc so that the sqfs is an accurate image of the original filesystem metadata. overlayfs has an option to map uids which the man page suggests exists for exactly this reason, but I cannot work out how to use it. I feel as though I need the option on squashfuse. It doesn't really matter to me, but one issue with my solution is that the sqfs images aren't usable by a different user who has a different uidmap because the uids in the sqfs are tied to the uidmap. Is there a way to do what I'm trying to do without using tar (or equivalent) to change the uids in the sqfs? I don't want to squash everything down to a single user. -o uidmapping/-o gidmapping for fuse-overlayfs aren't mentioned in the -h help, only in the manpage, so perhaps there's an option to squashfuse that isn't mentioned in either that I'm missing? Or perhaps there's a way to get overlayfs to work if the root.sqfs has uid 0-65535. Note that the whole point of all of this is so that nothing has to be done as root. I use this for testing installs, building packages etc and a rogue rm -fr /, for example, can't take out the whole system. So solutions that involve doing steps as the real root user aren't suitable. Tim.