[SOLVED] NFS permission question

[pixielark]

Hi eveyone,

recently started to explore pve.
So what I am currently trying to share a TrueNAS managed ZFS dataset to an unprivileged lxc container following https://pve.proxmox.com/wiki/Unprivileged_LXC_containers by using bind mount point

TrueNAS dataset (/mnt/pool/docker) -> Proxmox Storage (/mnt/pve/TrueNas) -> lxc (/mnt/docker)

current LXC config idmap looks like so

lxc.idmap: u 0 100000 1005
lxc.idmap: u 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 61
lxc.idmap: g 106 104 1
lxc.idmap: g 107 100107 898
lxc.idmap: g 1005 1005 1
lxc.idmap: g 1006 101006 64530

please ignore the other mapping except 1005 (which is what the wiki used), and I created a uid 1005 and gid 1005 called nfsaccess in both pve host and lxc guest
in working senarial, in my LXC container, I can simple run

su nfsaccess

everything works as expected, I can create/update/delete file in lxc (/mnt/docker) just fine

until I want to go a bit beyound the wiki page
since my lxc default runs under root, so I add root to the nfsaccess group

root@portainer:/mnt/docker# id
uid=0(root) gid=0(root) groups=0(root),44(video),106(render),1005(nfsaccess)

but with this root, I am not able to edit any file under lxc (/mnt/docker)

root@portainer:/mnt/docker# ls -la
total 6
drwxrwxr-x 4 nfsaccess nfsaccess    5 Jan  8 05:38 .
drwxr-xr-x 3 root      root      4096 Jan  7 22:01 ..
drwxr-xr-x 2 nfsaccess nfsaccess    3 Jan  8 05:38 aaa
drwxrwxr-x 2 nfsaccess nfsaccess    2 Jan  7 22:23 images
-rwxrwxr-x 1 nfsaccess nfsaccess   18 Jan  8 05:20 test.txt

the file permission for -rwxrwxr-x 1 nfsaccess nfsaccess 18 Jan 8 05:20 test.txt all looks correct to me.

anyone has any idea why this is happening? I was suspecting some NFS4 acl thing, but I am not familiar with it

root@portainer:/mnt/docker# nfs4_getfacl  test.txt
# file: test.txt
A::OWNER@:rwaxtTcCy
A::GROUP@:rwaxtcy
A::EVERYONE@:rxtcy

should I just update the nfs4 acl in the pve host of the /mnt/pve/TrueNas to rwaxtTcCy as well? or I am doing something wrong here?

 

[pixielark]

just an update if anyone runs into this issue in the future

so apparently I have to set the NFS permission in truenas
originaly was using

Maproot User -> root
Maproot Group -> wheel

I guess the Maproot Group is the issue

after changed to

Mapall User -> root
Mapall Group -> wheel

I don't even need to su nfsaccess to read/write anything in the mounted data storage in LXC, TrueNAS NFS is doing the nasty user/group mapping in the backend

I know this is probably not the best practice from security perspective

 

[Dunuin]

From a security and best practice perspective you shouldn't your docker in an LXC in the first place and use a VM where you don't have to care about all the user/group remappings and you wouldn't run in dependency problems as you could directly mount the NFS share inside the guestOS. So no problem to migrate or restore that guest to another PVE host.

But good to here that this now works for you.

 

[pixielark]

From a security and best practice perspective you shouldn't your docker in an LXC in the first place and use a VM where you don't have to care about all the user/group remappings and you wouldn't run in dependency problems as you could directly mount the NFS share inside the guestOS. So no problem to migrate or restore that guest to another PVE host.

But good to here that this now works for you.

fair point, I used LXC for docker because I do not want to pass through my only GPU to just one single VM.
With LXC passthrough I am now sharing the same GPU with a few LXC containers + VirtGL with a few VMs. Unfortunately needs hardware acceleration for multiple apps and I want to have them run in seperate container
sad that my GPU does not support vGPU and vgpu_unlock wont work for my hardware

 

[Dunuin]

Yes, really a shame that there is no well working open standard to split a GPU into virtual functions. Even if vgpu_unlock would work its debatable if that would be legal without paying Nvidia tons of money for the license which they won't sell to consumers anyway.