Accessing files from Host in CT

[davesie]

Hey,

I'm new to Proxmox. I want to setup a Nextcloud in a Ubuntu Container and want to use a ZFS dataset that is mounted on the HOST under /media/nextcloud/.
Before, I did not use Proxmox and just had Ubuntu installed on the machine directly and used this dataset to store all nextcloud data.
How do I get the Container to use this directory to use for the nextcloud data folder?
The owner of /media/nextcloud is is www-data:www-data.

I read this page: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers but did not get it working.
To my /etc/pve/lxc/100.conf I added:

lxc.idmap: u 0 100000 33
lxc.idmap: g 0 100000 33
lxc.idmap: u 33 1005 1
lxc.idmap: g 33 1005 1
lxc.idmap: u 34 100034 65502
lxc.idmap: g 34 100034 65502

I want that the same user www-data can read, write and execute the files in the directory.
Is this the right way to approach that or is there a better and/or easier way to achieve what I'm trying to do?


Best Regards
Davesie

 

[Dunuin]

With a bind-mount and custom user remapping like in your link.

For UID 33 (www-data) it should look like this:

# uid map: from uid 0 map 33 uids (in the ct) to the range starting 100000 (on the host), so 0..32 (ct) → 100000..100032 (host)
lxc.idmap = u 0 100000 33
lxc.idmap = g 0 100000 33
# we map 1 uid starting from uid 33 onto 33, so 33 → 33
lxc.idmap = u 33 33 1
lxc.idmap = g 33 33 1
# we map the rest of 65535 from 34 upto 100034, so 34..65535 → 100034..165535
lxc.idmap = u 34 100034 65502
lxc.idmap = g 34 100034 65502

 

[davesie]

Hi thank you for the quick answer.
I tried out your suggestion and I can't start the container anymore and get the following error:

lxc_map_ids: 3668 newuidmap failed to write mapping "newuidmap: uid range [33-34) -> [33-34) not allowed": newuidmap 4082 0 100000 33 33 33 1 34 100034 65502
lxc_spawn: 1791 Failed to set up id mapping.
__lxc_start: 2074 Failed to spawn container "100"
TASK ERROR: startup for container '100' failed

 

[Dunuin]

Did you also added root:33:1 to hosts /etc/subuid and /etc/subgid files?

 

[Dee]

Hi, I tried the same and also got the same error.

/etc/subuid: root:1111:1
/etc/subgid: root:1111:1

lxc.idmap = u 0 100000 1111 lxc.idmap = g 0 100000 1111 lxc.idmap = u 1111 1111 1 lxc.idmap = g 1111 1111 1 lxc.idmap = g 1112 101112 64424 lxc.idmap = g 1112 101112 64424

 

[davesie]

Did you also added root:33:1 to hosts /etc/subuid and /etc/subgid files?

This was the part I was missing. It's working now. Thank you!

 

[davesie]

What if I want to use another user and group on for a second CT?
For example I want the group "peter" on the CT to access the files that are on the mounted drive on the HOST.
The directories on that drive belong to www-data:www-data.
How would I map this for the CT, so that the group "peter" on the CT can only READ the dirs/files?

 

[Dunuin]

You would need to map your www-data group on the host to your peter group inside the LXC so your peter and www-data groups will be the same.

 

[Dee]

I changed the existing "root:100000:65536". How stup..
Now I can start the CT, after adding root:1111:1
Thanks for the HINT

 

[davesie]

You would need to map your www-data group on the host to your peter group inside the LXC so your peter and www-data groups will be the same.

Let's say the groupid on the CT for "peter" is 1234.
And the user id and group id of www-data on the HOST is 33.

How would I map them?
Like this?

# map 1234 gid from 0...1233 --> 100000...1001233
lxc.idmap = g 0 100000 1234
# we map 1 gid from 33 --> 1234
lxc.idmap = g 33 1234 1

How do I map the rest?

 

[davesie]

Anybody has any hints?

 

[Dee]

Here is an example for UID=1111

Add to the file’s "/etc/subuid" AND "/etc/subgid"
root:1111:1

To /etc/pve/lxc/<xyz>.conf
# uid map: from uid 0 map 1111 uids (in the ct) to the range starting 100000 (on the host), so 0..32 (ct) → 100000..101110 (host)
lxc.idmap = u 0 100000 1111
lxc.idmap = g 0 100000 1111
# we map 1 uid starting from uid 1111 onto 1111, so 1111 → 1111
lxc.idmap = u 1111 1111 1
lxc.idmap = g 1111 1111 1
# we map the rest of 65535 from 1112 upto 101112, so 1112..65535 → 101112..164424
lxc.idmap = u 1112 101112 64424
lxc.idmap = g 1112 101112 64424

Hope this helps

 

[Dunuin]

But that example will map 1111 to 1111. He wants to map 33 to 1234, which makes the whole thing more complicated, as no UID/GID can be mapped twice.

 

[davesie]

Right. I understand how you would map the userid to the same userid in the container.
Maybe I'm thinking about the solution in the wrong way. How would you handle the following situation?

A ZFS dataset is mounted on the HOST.
This directory is owned by www-data:www-data with the userid/groupid 33.
The directory should be used by a couple of CTs, but the userids, that should be able to access and write to that directory, differ from CT to CT.

For example: The directory is used to store my nextcloud data on it, but another container with jellyfin or paperless should also be able to access the data.

I thought the best way would be to map the corresponding userid in the CT to the userid/groupid 33 on the host.

 

[omgs]

This was the part I was missing. It's working now. Thank you!

I have exactly the same case as you, but I get the same newuidmap error. I think the /etc/subuid and /etc/subgid must have more than the root:33:1 line that I'm missing. Can you (or anybody else) post if this is wrong and the missing contents?

Thanks in advance.