Proxmox NFS mount inaccessible to non-root user

D

Dove2904

New Member
Nov 26, 2023
5
0
1
Hi

I have an NFS share setup with my QNAP NAS to allow access to media files for an LXC. I'm having some issues getting access to the directory with the user that the app (jellyfin) in the container uses.

Some info:

User jellyfin (uid=100103) on the Proxmox host is used to run the app in the container. This is mapped automatically to user 103 in the LXC.
User jellyfin is member of group media (gid=3500) on the Proxmox host:

$ id jellyfin uid=100103(jellyfin) gid=3501(jellyfin) groups=3501(jellyfin),3500(media)

My NFS share is added as NFS Storage using the Proxmox UI.
Root can navigate into the mount dir as can the jellyfin user when the owner of the directory is set as jellyfin
Jellyfin user cannot access the mount dir when the owner is set to another user (e.g. root as 100000) but the group owner is media

$ cd /mnt/pve/movies sh: 1: cd: can't cd to /mnt/pve/movies

I would expect, as Jellyfin is a member of the media group, that it can access the mount dir regardless of user owner? However it cannot.

Mount directory permissions are 775:

ls -aln /mnt/pve | grep movies drwxr-xr-x 11 100000 3500 4096 Nov 13 19:01 movies

I've created a test directory with the same permissions and ownership, su'd as user jellyfin and the user can access and view all files. This test directory is not an NFS mount which leads me to something incorrect with the NFS config, either on Proxmox or the QNAP? However, as user jellyfin can access the dir when the owner is set to jellyfin makes me think its not the QNAP.

Any pointers would be great!...
 
Non-priviledged

However I believe I've isolated the problem to the host/nas share as the user created on the host (jellyfin, uid 100103) cannot access the nfs drive when I su in as that user and try to list the nfs share contents (/mnt/pve/movies). It can list the test directory contents with the same permissions

So I believe once this is solved on the host then the container should work as is (container uid 103 automatically mapping to 100103 on host with no custom user mapping required)
 
Additionally, entry from mount

192.168.1.95:/Movies on /mnt/pve/movies type nfs4 (rw,relatime,vers=4.1,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.97,local_lock=none,addr=192.168.1.67)

and relevant content from /etc/exports on NAS:

"/share/CACHEDEV8_DATA/Movies" 192.168.1.97(sec=sys,rw,async,wdelay,insecure,no_subtree_check,no_root_squash,fsid=12827c66f481fb49c1ebe975039823ef) 192.168.1.165(sec=sys,rw,async,wdelay,insecure,no_subtree_check,no_root_squash,fsid=12827c66f481fb49c1ebe975039823ef)"/share/NFSv=4/Movies" 192.168.1.97(sec=sys,rw,async,wdelay,insecure,nohide,no_subtree_check,no_root_squash,fsid=def71df8b298543144a649dc1c29c56b) 192.168.1.165(sec=sys,rw,async,wdelay,insecure,nohide,no_subtree_check,no_root_squash,fsid=def71df8b298543144a649dc1c29c56b)

with 192.168.1.97 being the proxmox server IP
 
Last edited:
Dove2904 said:
So I believe once this is solved on the host then the container should work as is (container uid 103 automatically mapping to 100103 on host with no custom user mapping required)
Click to expand...
That's why I asked about the priviledge-status. It's a general permission problem that can be solved by using the right UIDs on the NFS server.
 
  • Like
Reactions: Dove2904
Yeah, correct. After a couple of hours looking around, I ended up editing /etc/config/nfssetting on the QNAP and all entries for squash_all_users, anonid and anongid. So all users access with the same UID and GID to that NFS share. Not quite the same as allowing users in the same group to access but good enough.
 
Hey, I'm struggrling with the exact same thing as you also with jellyfin. Could you pls elaborate how exactly you solved it?
Did you created a User jellyfin with uid 100103 and gid 3500 on your QNAP and set the nfs sqash settings to all users, then set the anonid to the jellyfin user and the anongid to media?
 
Hi, the following solved it for me:

Installed Jellyfin in an unpriv container, jellyfin is user 103 on the LXC and is user 100103 on the proxmox host.
I created user 100103 as jellyfin on the host and group 3500 as media and added user jellyfin to that group

useradd -u 100103 jellyfin
groupadd -g 3500 media
usermod -a -G media 100103

I edited /etc/config/nfssettings on the NAS to be the following which basically changes all access to the anon uid and gid:

[SquashOption]
...
/share/CACHEDEV8/Movies=all_squash,no_root_squash

[AnonUID]
...
/share/CACHEDEV8/Movies=100000,65534

[AnonGID]
...
/share/CACHEDEV8/Movies=3500,65534

Custom user id mapping is not required in the LXC config.

Finally, restarted NFS service on the NAS with:

/etc/init.d/nfs restart

All media files and directories on the NAS have user=100000 and group=3500

Hope that help, I was going to look to see if there was a better way at some point but this is what I have at the moment - let me know if you refine any.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back