LXD Validate raw.idmap is allowed by host

Is there a programmatic way to see if a raw.idmap setting is allowed by the current host shadow uid/gid configuration?
If I run:

lxc config set container raw.idmap "uid X 1000" 

How do I know if the mapping of uid X will succeed or fail due to the settings in /etc/subuid? If I just have to start the container and see if it fails, how can I parse out the failure to determine the /etc/subuid setting specifically was the problem?

It's non-trivial to parse the /etc/subuid and /etc/subgid manually to determine the allowed ranges based on that content alone. Also it would be nice to keep it in sync with the way LXD determines the permissions, so ideally an LXD option/command would be able to check it for me.


I have a series of groups I need to parse programmatically out of host systems based on the host-specific configuration of some folders. I then want to mount those folders with map-thru gids or uids into a container. There's lots of variation in the host systems, so it's unknown whether the /etc/subuid and /etc/subgid are configured to allow LXD to map-thru the uids and gids associated with the directories the host has selected. I'd like to identify it specifically as part of the error checking since it's an obvious point of failure.