The uid map to use in the user namespace. Each map consists of
four colon-separate values. First a character 'u', 'g' or 'b'
to specify whether this map pertains to user ids, group ids,
or both; next the first userid in the user namespace; next the
first userid as seen on the host; and finally the number of
ids to be mapped.
More than one map can be specified. If no map is specified,
then by default the full uid and gid ranges granted by
/etc/subuid and /etc/subgid will be mapped to the uids and
gids starting at 0 in the container.
Note that lxc-usernsexec always tries to setuid and setgid to
0 in the namespace. Therefore uid 0 in the namespace must be
To spawn a shell with the full allotted subuids mapped into the
To run a different shell than /bin/sh, use
lxc-usernsexec -- /bin/bash
If your user id is 1000, root in a container is mapped to 190000, and
you wish to chown a file you own to root in the container, you can
lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file
This maps your userid to root in the user namespace, and 190000 to
uid 1. Since root in the user namespace is privileged over all
userids mapped into the namespace, you are allowed to change the file
ownership, which you could not do on the host using a simple chown.
This page is part of the lxc (Linux containers) project. Information
about the project can be found at ⟨http://linuxcontainers.org/⟩. If
you have a bug report for this manual page, send it to
firstname.lastname@example.org. This page was obtained from the
project's upstream Git repository ⟨git://github.com/lxc/lxc⟩ on
2020-08-13. (At that time, the date of the most recent commit that
was found in the repository was 2020-08-12.) If you discover any
rendering problems in this HTML version of the page, or you believe
there is a better or more up-to-date source for the page, or you have
corrections or improvements to the information in this COLOPHON
(which is not part of the original manual page), send a mail to