Mounting a specific subdirectory to limit guest's access to storage

C

CelestialMushrooms

New Member
May 25, 2023
4
0
1
I have a specific use case that I haven't had any luck with satisfying so far. I have a separate hard drive with several directories, and I'd like to share different subdirectories with different guests to limit their access. I know that I can simply use permissions to restrict access to the other directories, but I don't want to do this in the interest of security, since those permissions would be useless if someone gained root access. I've also explored the option of a file server (using SSHFS in my case), and while it works to do what I want, it's annoying to rely on a networking protocol when the storage is physically located on my machine. Additionally, the file server itself obviously has to have full access to the drive, but ideally only the Proxmox host would have full access. I'd also prefer not to use separate partitions for the different folders or any solution like that, since I'd have to rigidly allot space for each separate partition. Does anyone know of any way to achieve this?
 
Just bind-mount the directories you want into each container. Instead of bind-mounting the top most folder, you need to bind-mount each subfolder you want into your containers.
 
LnxBil said:
Just bind-mount the directories you want into each container. Instead of bind-mounting the top most folder, you need to bind-mount each subfolder you want into your containers.
Click to expand...
I'm running VMs, not LXC containers. Is there a way to do that with VMs?
 
LnxBil said:
Oh, that is more complicated but possible: experimentally with the use 9s or via the well established network layer Samba/CIFS and NFS.
Click to expand...
I was considering NFS as well, but I'm confused about what I'd put for the content. I'm not using it to store images or backups or anything, just files to be accessed by the VMs.
 
four ways you can control access

1. permissions on the directories and files
2. restrictions based on guest IP
3. host restrictions
4. encryption
 
When I try to add NFS storage to Proxmox, it asks for the content type and tries to create a directory corresponding to it. Is there a way to get around this?
 
If I understand you correctly, you will want to mount NFS exports directly in the guest, not via Hypervisor. Then you can create any folder separation, permissions, export restrictions you want. In short the NFS mount is from inside the guest to your NFS storage, no hypervisor in-between.


Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back