Building unprivileged (userns) LXC container from scratch, by migrating a privileged container to be unprivileged

How can I build a privileged LXC (1.0.3) container (that part I know) and then migrate it successfully to be run unprivileged? That is, I'd like to debootstrap it myself or adjust the lxc-ubuntu template (commonly under /usr/share/lxc/templates) in order for this to work. Here's why I am asking this question. If you look at the lxc-ubuntu template, you'll notice: # Detect use under userns (unsupported) for arg in "$@"; do [ "$arg" = "--" ] && break if [ "$arg" = "--mapped-uid" -o "$arg" = "--mapped-gid" ]; then echo "This template can't be used for unprivileged containers." 1>&2 echo "You may want to try the \"download\" template instead." 1>&2 exit 1 fi done Following the use of LXC_MAPPED_GID and LXC_MAPPED_UID in the referenced lxc-download template, though, there seems to be nothing particularly special. In fact all it does is to adjust the file ownership (chgrp + chown). But it's possible that the extended attributes in the download template are fine-tuned already to accomplish whatever "magic" is needed. In the comments to this blog post by Stéphane Graber Stéphane tells a commenter that > There’s no easy way to do that unfortunately, you’d need to update > your container config to match that from an unprivileged container, > move the container’s directory over to the unprivileged user you want > it to run as, then use Serge’s uidshift program to change the > ownership of all files. ... and to: * have a look at https://jenkins.linuxcontainers.org/ for the packages built for the download template * check out uidmapshift from here * This program appears to roughly do lxc-usernsexec -m b:0:1000:1 -m b:1:190000:1 -- /bin/chown 1:1 $file as explained in lxc-usernsexec(1) But there are no further pointers. **So my question is: how can I take an ordinary (privileged) LXC container that I have built myself (having root and all) and migrate it to become an unprivileged container?** Even if you can't provide a script or so, it would be great to know which points to consider and how they affect the ability to run the unprivileged LXC container. I can come up with a script on my own and pledge to post it as an answer to this question if a solution can be found :) *Note:* Although I am using Ubuntu 14.04, this is a *generic* question.