Subuid subgid

SubUID/GIDs are Article description::a range subordinate user/group IDs that a user is allowed to use. These are commonly used by containerization software, such as LXD and Podman, for creating privilege separated containers.

This article outlines a default configuration of subuid/subgid that should work for most user workloads.

Overview of subuid/subgid
For setting up the various container software, proper configuration of subuid and subgid is vital. Keep in mind that after an initial configuration, it is not easily possible to change the subuid/gid mappings without starting from scratch and losing existing containers.

In most modern systems with, UID/GIDs can be in the range , which is the maximum. In the default LXD configuration (in the absence of and ), it is assumed that the range   is available for LXD to use. It is best to ensure this configuration manually, even when not using LXD, so that it is easier to manage subuids/gids for use with other programs such as podman and docker.

If using LXD, it is vital that the subuid/gid ranges for the users  and   are kept in sync. Additionally, for each user on the system, it is best to keep their available subuid/gid ranges distinct and non-overlapping. Creating such a configuration will also help podman in running rootless containers.

Manual configuration
Available ranges for subuid/gid can be configured by editing the files and  in a text editor.

usermod
(from ) can also be used to programmatically configure ranges for users. For example, the above configuration can also be achieved by a series of commands: