[SOLVED] Unpriv LXC UID mapping for ZFS Bind Mount - SMB File server for family

[v95klima]

Hi
I would very much appreciate advise how to set for five users an Unpriv LXC UID mapping for ZFS Bind Mount to SMB File server for family
I'm lost with several UID problems both host and guest. There are guides for single user, which worked as start but I need it working for five users.

How should chown be set at PVE Host and Guest LXC for all five unprivileged LXC Samba user to access the two zfs data sets?
Is this the way to go on lxc 100.conf with UID seetings?

mp0: /two/d,mp=/mnt/two/d,backup=0
mp1: /one/d,mp=/mnt/one/d,backup=0
..
unprivileged: 1
..
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101001 1
lxc.idmap: g 1001 101001 1
lxc.idmap: u 1002 101002 1
lxc.idmap: g 1002 101002 1
lxc.idmap: u 1003 101003 1
lxc.idmap: g 1003 101003 1
lxc.idmap: u 1004 101004 1
lxc.idmap: g 1004 101004 1
lxc.idmap: u 1005 101005 64525
lxc.idmap: g 1005 101005 64525


other info HOST
oot@pve:/etc/pve/lxc# zfs list
NAME USED AVAIL REFER MOUNTPOINT
one 168G 3.35T 112K /one
one/d 168G 3.35T 168G /one/d
two 122G 3.39T 112K /two
two/d 122G 3.39T 122G /two/d

other info GUEST 100.conf LXC
cat /etc/samba/smb.conf
[onewd]
comment = Private Folder
path = /mnt/one/d
writable = yes
guest ok = no
valid users = user1, user2, user3, user4, user5
force create mode = 770
force directory mode = 770
inherit permissions = yes
[twowd]
comment = Private Folder
path = /mnt/two/d
writable = yes
guest ok = no
valid users = user1, user2, user3, user4, user5
force create mode = 770
force directory mode = 770
inherit permissions = yes


Many thanks in advance.

 

[fschauer]

I assume you want to map UIDs 1000-1004 in the container to the same UIDs on the host.

lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101001 1
lxc.idmap: g 1001 101001 1
lxc.idmap: u 1002 101002 1
lxc.idmap: g 1002 101002 1
lxc.idmap: u 1003 101003 1
lxc.idmap: g 1003 101003 1
lxc.idmap: u 1004 101004 1
lxc.idmap: g 1004 101004 1

In that case this part can be abbreviated to:

lxc.idmap: u 1000 1000 5
lxc.idmap: g 1000 1000 5

The first number stands for the ID in the container.
The second number stands for the ID on the host.
The third number stands for the number of IDs to be mapped.

Also don't forget to allow mapping of these IDs in /etc/subuid and /etc/subgid:

root:1000:5

This is also described in our wiki:
https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

How should chown be set at PVE Host and Guest LXC for all five unprivileged LXC Samba user to access the two zfs data sets?

It depends on who should have access to the directory. If all 5 users should have access, it would make sense to add them to a group and set the group that owns the files with chgrp.

 

[v95klima]

Thank you fschauer!
I think its working like it should now, minor proof concept tested for 5 mins a few scenarios, with five users and one common group called Family. This is how set it up:


On the Proxmox PVE host:

Six ID's in subuid and subgid one for each of the five users and one extra for joint "family" group
root@pve:~# cat /etc/subuid
root:1000:6
root:100000:65536

root@pve:~# cat /etc/subgid
root:1000:6
root:100000:65536

make sure the ZFS data directory all files and sub directories has chown -R root:familly for what you want to mount inside LXC later
root@pve:~# cd /one/d/
root@pve:/one/d# ls -alh
drwxrwxr-x 2 root family 2 Mar 13 14:44 test778999
-rwxrwxr-x 1 root family 2.0K Mar 10 12:35 wireguard

root@pve:/one/d# cat /etc/pve/lxc/100.conf
arch: amd64
cmode: shell
cores: 1
features: nesting=1
hostname: UnPrivLXCMountPointZFSsambaFORfamilyOFfive
memory: 512
mp0: /one/d,mp=/mnt/one/d,backup=0
mp1: /two/d,mp=/mnt/two/d,backup=0
net0: name=eth0,bridge=vmbr0,hwaddr=BC:24:11:17:791,ip=dhcp,type=veth
ostype: debian
rootfs: local:100/vm-100-disk-0.raw,size=2G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 6
lxc.idmap: g 1000 1000 6
lxc.idmap: u 1006 101005 64531
lxc.idmap: g 1006 101005 64531

set users ids to each to 1000, 1001, 1002, 1003 and 1004 and set primary group for each member to 1005, which is the "family" group #
This way future edit by users will remain in the family group.
cat /etc/passwd
mk:x:1000:1005:,,,:/home/mk:/bin/bash
csk:x:1001:1005:,,,:/home/csk:/bin/bash
michael:x:1002:1005:,,,:/home/michael:/bin/bash
james:x:1003:1005:,,,:/home/james:/bin/bash
charles:x:1004:1005:,,,:/home/charles:/bin/bash

cat /etc/group
mk:x:1000:
csk:x:1001:
michael:x:1002:
james:x:1003:
charles:x:1004:
family:x:1005:mk,csk,michael,james,charles

On the LXC Debian mount point the ZFS data for Samba sharing:
Create the exact same /etc/passwd and /etc/group as host PVE
after creating all five users and family group:
usermod -aG family mk
smbpasswd -a mk
smbpasswd -e mk
repeat these three steps for all 5 users

nano /etc/samba/smb.conf
add at the end of the file:

[one]
comment = Private Folder
path = /mnt/one/d
writable = yes
guest ok = no
valid users = @family
force create mode = 770
force directory mode = 770
inherit permissions = no

[two]
comment = Private Folder
path = /mnt/two/d
writable = yes
guest ok = no
valid users = @family
force create mode = 770
force directory mode = 770
inherit permissions = no


reboot both Host PVE and restart LXC
log in from other desktop on the same network, using the ip of your LXC 100 with name given in bracket of smb.conf file (here using 192.168.1.15 as example ip)
smb://192.168.1.15/one
smb://192.168.1.15/two

Feedback of how to tweak security or close gaps welcome!
If its not working like planned after more in depth testing than 5 mins, i'll circle back.
Thank you again!