[SOLVED] Unprivileged LXC user mapping getting Operation not permitted for chown

J

johannes-z

New Member
Nov 22, 2022
14
1
3
Hello, I ran into a problem when I tried to map my sonarr user to have write access to a directory mounted via mount point (which worked without a problem). The directory I need to change to be able to start the service again however shows nobody:nogroup, and even as root I cannot chown the folder: chown: changing ownership of '/var/lib/sonarr/': Operation not permitted. I read multiple threads but couldn't find a solution. Any help would be greatly appreciated! :)


Here is my configuration and result so far:

LXC Sonarr
cat /etc/passwd
Code: 
sonarr:x:107:1000

/etc/pve/lxc/110.conf
Code: 
lxc.idmap: u 0 100000 107
lxc.idmap: g 0 100000 1000
lxc.idmap: u 107 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 108 100108 65428
lxc.idmap: g 1001 101001 64535

ls -lai /var/lib
Code: 
1936 drwxr-xr-x  5 nobody  nogroup 4096 Apr 29 19:34 sonarr

/etc/subuid
Code: 
root:100000:65536
root:1000:1

/etc/subgid
Code: 
root:100000:65536
root:44:1
root:103:1
root:1000:1


chown sonarr:sonarr /var/lib/sonarr/
Code: 
chown: changing ownership of '/var/lib/sonarr/': Operation not permitted
 
johannes-z said:
Hello, I ran into a problem when I tried to map my sonarr user to have write access to a directory mounted via mount point (which worked without a problem). The directory I need to change to be able to start the service again however shows nobody:nogroup, and even as root I cannot chown the folder: chown: changing ownership of '/var/lib/sonarr/': Operation not permitted. I read multiple threads but couldn't find a solution. Any help would be greatly appreciated! :)
Click to expand...
The root user inside a unprivileged container is (usually) user 100000, which does not have such permissions (which is good for safety/security reasons). Because the owner (and group) of the directory (on the host) are not mapped in the container, they appear as nobody (and nogroup). Try doing the chown on the host (with respect to the user mappings).
 
leesteken said:
The root user inside a unprivileged container is (usually) user 100000, which does not have such permissions (which is good for safety/security reasons). Because the owner (and group) of the directory (on the host) are not mapped in the container, they appear as nobody (and nogroup). Try doing the chown on the host (with respect to the user mappings).
Click to expand...
How can I chown the directory when it's within the lxc? Is there a command to access the LXC's FS?
 
johannes-z said:
How can I chown the directory when it's within the lxc? Is there a command to access the LXC's FS?
Click to expand...
johannes-z said:
... directory mounted via mount point ...
Click to expand...
The directory is inside the container but also somewhere on the Proxmox host, since you mapped the directory using a mount point. Instead of chown on the directory inside the container, do the chown on the same directory on the Proxmox host. Can you share the container configuration file?
 
Oh sorry, the folder I'm trying to chown is not within the mount point. It's in the FS of the LXC container. The folder of the mount point I was able to chown, but the `/var/lib` folder I cannot.

This is the config of the LXC

Code: 
root@media:~# cat /etc/pve/lxc/110.conf
## Sonarr LXC
arch: amd64
cores: 2
features: keyctl=1,nesting=1
hostname: sonarr
memory: 1024
mp0: /mnt/media,mp=/mnt/media
net0: name=eth0,bridge=vmbr0,gw=192.168.1.254,hwaddr=1A:B3:A2:C8:3E:7B,ip=192.168.1.210/24,type=veth
onboot: 1
ostype: debian
rootfs: local:110/vm-110-disk-0.raw,size=4G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 107
lxc.idmap: g 0 100000 1000
lxc.idmap: u 107 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 108 100108 65428
lxc.idmap: g 1001 101001 64535

The Sonarr service fails with:

Code: 
Sonarr failed to start: AppFolder /var/lib/sonarr is not writable

And it's because the sonarr user has no write access to this directory

Code: 
root@sonarr:~# ls -la /var/lib/sonarr/
total 18144
drwxr-xr-x  5 nobody nogroup     4096 Apr 29 19:34 .


I created this LXC and used it before adding the user mapping, because I then needed write access to the mount point folder.
When I remove the user mapping from the lxc configuration, the service starts again.


Edit:

After reverting the user mapping, the permissions of the directory in question change:

Code: 
root@sonarr:~# ls -lai /var/lib/sonarr/
total 17944
1936 drwxr-xr-x  5 sonarr sonarr     4096 Apr 29 20:34 .
 
Last edited:
Hi, changing the user mapping does not change the file owners (uid/gid) on the container filesystem level. You can use pct mount [1] on the host to mount the container filesystem and adjust the owners there.

[1]: https://pve.proxmox.com/pve-docs/pct.1.html
 
  • Like
Reactions: johannes-z
Hi, I'm having the same problem. However, I cannot chown the shared folder using the pct mount/ command on the host or from inside the LXC. There is no error message either.

Bash: 
$ ls -la
total 4
drwxr-xr-x 2 root   root      0 Sep  8 21:16 .
drwxr-xr-x 3 100000 100000 4096 Sep  9 01:12 ..
drwxr-xr-x 2 root   root      0 Sep  8 18:59 dump
drwxr-xr-x 2 root   root      0 Sep  8 21:16 paperless-ngx
drwxr-xr-x 2 root   root      0 Sep  8 18:59 private
dr-xr-xr-x 2 root   root      0 Sep  9 00:00 @Recently-Snapshot
drwxr-xr-x 2 root   root      0 Sep  8 18:50 @Recycle
$ chown -R 1000:1000 /var/lib/lxc/107/rootfs/mnt/Documents/paperless-ngx
$ ls -la
total 4
drwxr-xr-x 2 root   root      0 Sep  8 21:16 .
drwxr-xr-x 3 100000 100000 4096 Sep  9 01:12 ..
drwxr-xr-x 2 root   root      0 Sep  8 18:59 dump
drwxr-xr-x 2 root   root      0 Sep  8 21:16 paperless-ngx
drwxr-xr-x 2 root   root      0 Sep  8 18:59 private
dr-xr-xr-x 2 root   root      0 Sep  9 00:00 @Recently-Snapshot
drwxr-xr-x 2 root   root      0 Sep  8 18:50 @Recycle

I tried with mapping and without mapping.

Bash: 
$ cat /etc/pve/lxc/107.conf
#lxc.idmap%3A u 0 100000 1000
#lxc.idmap%3A g 0 100000 1000
#lxc.idmap%3A u 1000 1000 1
#lxc.idmap%3A g 1000 1000 1
#lxc.idmap%3A u 1001 101006 64530
#lxc.idmap%3A g 1001 101006 64530
arch: amd64
cores: 6
features: nesting=1
hostname: paperless.hddd.local
lock: mounted
memory: 4000
mp0: /mnt/pve/Documents,mp=/mnt/Documents,ro=0,shared=1
nameserver: 192.168.XX.XX
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.XX.X,hwaddr=XX:XX:XX:XX:XX:XX,ip=192.168.XX.XX/24,type=veth
ostype: debian
rootfs: local-raid-group:vm-107-disk-0,size=30G
searchdomain: hddd.local
swap: 512
unprivileged: 1

Bash: 
$ /etc/subuid
root:1000:1
root:100000:65536

Bash: 
$ cat  /etc/subgid
root:1000:1
root:100000:65536

Any ideas?

Thanks!
 
Hi, as far as I can tell, the mountpoint /mnt/Documents/ inside the container points to /mnt/pve/Documents on the host. Judging from the name, this seems to be a mounted filesystem -- what filesystem is this? If it is a CIFS share (without UNIX extensions), you cannot change the file ownership using chown. You could, however, use the uid and gid mount options to have files and directories be owned by a specific user (in your case, 1000:1000), see e.g. [1] [2].

Hope this helps!

[1] https://unix.stackexchange.com/a/68081
[2] https://forum.proxmox.com/threads/tutorial-unprivileged-lxcs-mount-cifs-shares.101795/
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back