[SOLVED] Bind mount in a nonprivileged container of a FUSE mount in the host


Active Member
Jan 22, 2017
I have a non-privileged 150 container on a Proxmox 7.4.
On the host I have a directory from another server mounted via sshfs on /mnt/server2, so it is fuse.
sshfs -o reconnect -C server2.domain.net:/disk /mnt/server2

Now in container 150 I have the following configuration

arch: amd64
cores: 2
memory: 5000
cpulimit: 2
features: nesting=1
mp0: /mnt/server2/web,mp=/mnt/web
net0: name=eth0,....(not relevant)
unprivileged: 1
ostype: debian
protection: 1
rootfs: local-zfs:subvol-150-disk-1,size=200G
lxc.cgroup2.devices.allow: c 108:0 rwm
lxc.mount.entry: /dev/ppp dev/ppp none bind,create=file
lxc.mount.entry: /var/spool/postfix/dev/urandom var/spool/postfix/dev/urandom none bind,ro 0 0
lxc.mount.entry: /var/spool/postfix/dev/random var/spool/postfix/dev/random none bind,ro 0 0 0
lxc.mount.entry: /lib/udev/devices/simfs lib/udev/devices/simfs none bind,ro 0 0 0
lxc.mount.entry: /lib/udev/devices/fuse lib/udev/devices/fuse none bind,ro 0 0 0
lxc.mount.entry: /var/lib/docker/vfs/backingFsBlockDev var/lib/docker/vfs/backingFsBlockDev none bind,ro 0 0 0

Everything seems to be fine when i do
pct start 150
but when doing inside the container

ls -la /mnt

I get

d????????? ? ?    ?    ?            ? web

And if I try to enter /mnt/web I get permission denied.

Of course in the host can access /mnt/server2/web without problem

And if the directory in the host is not a FUSE mount, all work as is expected.
The problem seem to be some kind of permissions error in the FUSE mount .

Some clues?
Setting a mapping of the host permissions on the unprivileged LXC

In /etc/pve/lxc/150.conf
lxc.idmap: u 0 100000 1005
lxc.idmap: g 0 100000 1005
lxc.idmap: u 1005 1005 1
lxc.idmap: g 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 1006 101006 64530

In /etc/subuid

In /etc/subgid

And setting in the directory of host to mount in container

chown -R 1005:1005 /mnt/server2/web

And restarting the container, the result is exactly the same

d????????? ? ?    ?    ?            ? web

With the mapping the only thing I get is that the correct host user appears in the unprivileged LXC. But it does not solve this problem which seems to be incorrect or corrupted information.

The problem does not occur if the host directory points to a local drive. In that case the mapping of course works showing the mapped user correctly.

The problem only occurs if the host directory is a FUSE mount (made with sshfs).
Often the solution lies in the problem statement itself. If the problem only occurs with sshfs then you have to touch something in sshfs.
In fact it is enough to use the parameter -o "allow_other".

sshfs -o reconnect -C -o "allow_other" server2.domain.net:/disk /mnt/server2

parameter so that sshfs has access to users other than root. This is apparently necessary for FUSE to propagate correctly from the host to the unprivileged container.

With the default Proxmox configuration (no need for explicit lxc.idmap) it works correctly. Simply that user n from the container is relocated to 100000+n on the host.
  • Like
Reactions: fschauer


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!