Bind mount confusion

onnwheat

New Member
Dec 22, 2024
1
0
1
I am hoping somebody here can help, I have been trying to work this out for what seems like weeks.

I have a ProxMox host with a 1tb SSD drive setup on it as /mnt/drive1, when I do ls -l I get this output

drwxr-xr-x 7 root root 4096 Dec 8 01:25 drive1

I have an unprivileged container called NZBGet that I am trying to bind mount this drive to. I have done this in the conf file on the host...

mp0: /mnt/drive1,mp=/mnt/drive1

I can access the drive successfully on the NZBget container, but I am unable to write to it. When I do ls -l on the NZBGet container I get this...

drwxr-xr-x 2 nobody nogroup 4096 Dec 8 21:27 drive1

I have looked at the guide on pve.proxmox.com/wiki/Unprivileged_LXC_containers but I am confused about how to apply it to my situation. From what I understand, I want to map users on the NZBget container to the users on the ProxMox host, does the example provided in the docs work for my situation?

Code:
# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host)
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530
 
The uids and gids of unprivileged containers are mapped so that 0 in the container corresponds to 100000 on the host. By default the id range 0..65535 in the container is mapped to 100000..165535 on the host.

If all you want is to access files in the mount point only from within that one unprivileged container, you could chown all the files under /mnt/drive1 to belong to a uid and gid in the range 100000..165535.

The other option would be to map a specific uid/gid in the container to the same one on the host. Mapping root is not a good security practice, so it might be a good idea to make the files under /mnt/drive1 be owned by some other user/group. (e.g. 1005)
Then map 1005 in the container to 1005 on the host, while keeping all of the other mappings in place, as is done by the provided example from the wiki.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!