Add internal HDD to container

[jxclark]

I'm trying out Proxmox for the first time and am having trouble understanding how to add an internal hard drive to a container. Here is my setup, detailed as best as I understand it:

• Computer is an old Dell Studio desktop with two drives: an SSD and an 8TB HDD.
• The node I setup is on the SSD (sda3).
• Created an unprivileged container with 1GB of memory (Id is 200) running Ubuntu 22.04.
• Installed UrBackup in the container.
• I mounted the HDD (sdb1) to "/mnt/backup" in the node and created a few files to have something in it.
• Added the following to the fstab file in the node:
  • LABEL=BackupOne /mnt/backup ext4 defaults 0 2
• Created the folder "/mnt/backup1" in the container.
• Added the following to the "200.conf" file in "/etc/pve/lxc":
  • mp0: Backup1:200/vm-200-disk-1.raw,mp=/mnt/backup1,size=8000G
• Also tried adding the drive to the node in the Datacenter.
  • Chose "Add", "Directory", with the ID of "Backup1" pointed to the "/mnt/backup" directory.

As I write this, some of it might be redundant as I tried numerous things to make it work. And some of these might be contradictory.

Speaking of making it work, here are my goals:

1. Run UrBackup on a Proxmox container to backup the other computers on my home network.
2. Use the 8TB HDD to store these backups.

I've got UrBackup successfully running, but the status page tells me that it does not have rights to access this directory (the HDD). That tracks, because when I go to "/mnt/backup1" in the container, the files I created are not there. I would think that if the container had access to the drive, then the files would show up.

I tried changing the permissions of the directory to this: drwxrwxr-x 3 root root 4096 Dec 27 22:11 backup1, but it didn't seem to help.

I'm a Windows user mostly, and just dabble in Linux, so I'm not used to the architecture and procedures in Linux. I've read a TON of how to do this, but it's obvious at this point that I'm chasing my tail. I'm hoping someone can set me on the right path.

Thanks,
John

 

[Dunuin]

Did you see this on how to bind-mount folders from the PVE host into an unprivileged LXC?: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[jxclark]

No, I somehow missed that page. Thanks.

That looks like what I want to do, however, the UID stuff confuses me. For the example, they chose 1005, but what do I choose? Everything that's been installed in the container appears to have "root" as its owner and group. Does the app I'm running, UrBackup, have a UID? Do I need to map the root user and group? In other words, the philosophy of mapping permissions makes sense to me, but knowing who is who does not.

 

[Dunuin]

For the example, they chose 1005, but what do I choose?

The UID the user is using that is running your service that needs access to those files/folders.

Everything that's been installed in the container appears to have "root" as its owner and group.

Then its not a secure setup. Services shouldn't run as your admin user unless it can't be avoided. If you run some malicious code (do you read every line of code from some random github repos before installing it to check if it isn't malichious?) as an unprivileged user that can't do that much damage without root privileges. If you run that code as root it could screw up the whole LXC.
If its an privileged LXC and that user can break out of the LXC that user would also be the admin of the whole PVE host and could screw up everything on that physical machine.

Does the app I'm running, UrBackup, have a UID?

Every process has to be owned by a user. Have a look at the UrBackup manual if it creates its own specific user. Otherwise it will use the user that you configure.

Do I need to map the root user and group?

That wouldn't make much sense. The point of an unprivileged LXC is that the LXCs root user is an unprivileged user on the PVE host. So if something goes wrong in the LXC this won't effect the whole server. If you map the LXCs root user to the hosts root user it is as insecure as running a privileged LXC.

In other words, the philosophy of mapping permissions makes sense to me, but knowing who is who does not.

UID/GID 0 - 65535 in the LXC are mapped to UID/GID 100000 - 165535 on the host. So UID 0 (root) in the LXC is actually UID 100000 on the host. UID 1000 in the LXC is UID 101000 on the host and so on.
If UID 1000 in the unprivileged LXC should be able to access the bind-mounted folder on the host, you have to either:
A.) change the owner on the host to UID 101000 so this gets mapped to UID 1000 in the LXC or
B.) edit the remapping so UID 1000 on the host gets mapped to UID 1000 in the LXC instead of UID 101000 or
C.) chmod that folder to 777 so everyone can read/write it (not great for security)

 

[jxclark]

Yes! Success!!! It took a few more rounds of trial and error to get it working, but I'm now finally running a backup. Thanks so much for your help. I'd never have gotten this far without it.