Bind Mount Point permissions

May 22, 2020
17
2
23
54
Hi, new user, trying to create bind mounts inside a container pointing to zfs datasets.

I create my zpool, and datasets, e.g.
zfs create ssdpool/test
zfs set mountpoint=/mnt/bind/test ssdpool/test


I use a Ubuntu Server 20.04 LTS container, and I add:
pct set 100 -mp1 /mnt/bind/test,mp=/test

I can see that changes I make on the host can be seen in the container, e.g.
pieter@server-2:~$ touch /mnt/bind/test/foo.txt
...
root@ubuntutest:~# ls -la /test
-rw-r--r-- 1 nobody nogroup 0 May 23 01:28 foo.txt


But, the user permissions inside the container do not match those outside the container.
If I try to change permissions from inside the container, I get an error:
root@ubuntutest:~# chmod -R a+rw /test
chmod: changing permissions of '/test': Operation not permitted
chmod: changing permissions of '/test/foo.txt': Operation not permitted


I understand that the user and group identifiers may not match between the host and the container or between containers.
I have some experience with Unraid where I can set the docker container user and group identifier to match those of the host, or I set permissions and ownership to nobody/users.

1) How can I set the permissions such that any user and any group can get r+w access, or how to I sync the user and group identifiers?

My ultimate goal is to move my docker containers and storage from Unraid to ZFS on Proxmox.
I could either install Docker on the proxmox host, or install Docker inside Ubuntu Server running in a container, and manage using docker, docker-compose, and portainer.
If I install on the host I can just map my volumes directly to zfs datasets.
If I install in a lxc container I need to use bind mounts to go from zfs datasets to the lxc container to the docker container.

2) If my primary needs are docker with volumes mapped to zfs datasets, why should I not just install docker directly on the host?
 
Hi,

As it looks like you have an unprivileged container.
This means that the UID/GID is mapped.
So root with UID 0 in the container is UID 100000 on the host.
Every UID/GID in the container is +100000 on the host.

You can set the permission on the host that it matches to the bind-mount or you can remap the UID/GID.
For the remapping see [1]
Or just run the container in privileged mode then the mapping is the same.

I would not install docker direct on the host because this can have dependency problems.
It's not included in our tests, so you're alone with such a setup.

1.) https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
 
  • Like
Reactions: Rawkus
Thank you for the reply, I think I can figure the permission out by creating a shared group id for directory permissions.

Let's say I don't install Samba and Docker on PVE, and I install two Ubuntu Server LXC's, one used for Samba and one used for Docker.
And I want to use ZFS from within the LXC, as if I'm on the host, e.g. take snapshots, or the Docker ZFS storage driver.
Does that work? How does the usermode code ZFS in LXC match up against the ZFS kernel mode code on PVE?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!