Bind Mount Points -- how to fix nobody : nogroup permission denied

[pkr]

context:
- prepared a NVMe (/dev/nvme1n1) drive on the PVE host
- created ext4 filesystem
- mounted on PVE host
- bind mount point the mounted directory on PVE host to Container (201)
-

pct set 201 -mp0 /mnt/bindmounts/nvme1n1p1,mp=/mnt/nvme1n1p1-data

- similarly did a pcie passthrough to a Virtual Machine (301)

qm set 301 -scsi2 /dev/disk/by-id/nvme-<device-id>

- was able to log into VM-301, and see the drive
- created a folder and file using non-root user
- was able to log into the CT-201, and see the drive

question:
- when log into CT-201, unable to create/cat the contents of any files on this drive

resources:
https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points

 

[fschauer]

You will have to set up the idmap as described here:
https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[pkr]

i made the following changes

/etc/pve/lxc/201.conf

lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2001 102000 63535
lxc.idmap: g 2001 102000 63535

/etc/subgid

root:1002:1

/etc/subuid

root:1002:1

when i reboot the pve or container CT-201
i am seeing the following error, in weGUI Task History

lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed": newuidmap 21977 0 100000 1000 1000 1000 1 1001 1001 1 1002 1002 1 2001 102000 63535
lxc_spawn: 1788 Failed to set up id mapping.
TASK ERROR: startup for container '201' failed

 

[pkr]

just for now, i made the following changes and was able to boot the container

lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2000 102000 63535
lxc.idmap: g 2000 102000 63535

however, i am keen to learn & understand, why/how i could to mapping for other UID/GUID as well

lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1

 

[leesteken]

however, i am keen to learn & understand, why/how i could to mapping for other UID/GUID as well

lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1

You can do that exactly like your successful mapping of uid and gid 1002.

lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed": newuidmap 21977 0 100000 1000 1000 1000 1 1001 1001 1 1002 1002 1 2001 102000 63535

The error messages states that mapping uid 1000 is not allowed (by root). You'll get similar errors for gid 1000, uid 1001 and gid 1001.

/etc/subgid

root:1002:1

/etc/subuid

root:1002:1

You added permission for root only for uid and gid 1002, but not uid/gid 1000 and uid/gid 1000. Add those two in each and I expect it to work.
I don't think it's wise to remove the original root:100000:65536 from those files.

 

[pkr]

thank you @leesteken for your help, i have now made the following changes

/etc/pve/lxc/201.conf

lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2000 102000 63536
lxc.idmap: g 2000 102000 63536

/etc/subgid

root:100000:65536
w3m:165536:65536
pk:231072:65536
smh:296608:65536
root:1000:1
root:1001:1
root:1002:1

/etc/subuid

root:100000:65536
w3m:165536:65536
pk:231072:65536
smh:296608:65536
root:1000:1
root:1001:1
root:1002:1

Bind Mount Points /mnt/bindmount/nvme1n1p1
is what i want to share w/ Container CT-201
i have changed the ownership of this directory on host from root:root to smh:smh

root@pve:~# ls -l /mnt/bindmount
total 4
drwxr-xr-x 4 smh smh 4096 Sep  1 20:46 nvme1n1p1

observation:
- now i am able to start the Container CT-201
- when i log into CT-201 as user smh, it doesn't take me to its home directory, /home/smh ...instead it take me to /
- so, how do it fix this new behaviour ?!
- also, is there an alternate path, such as, Device Mount Points to a Container ?!

 

[leesteken]

observation:
- now i am able to start the Container CT-201

Good.

- when i log into CT-201 as user smh, it doesn't take me to its home directory, /home/smh ...instead it take me to /

Check the owner and group of /home/smh inside the container. You mapped host user/group 1002 into the container but that does not change the owner/group of the existing files inside the container, which probably are still 101002:101002 and mapped to nobody:nogroup.
There is a common expectation that the owner/permissions of the files follow the user mapping but it does not, and there are several threads about this on this forum.

- so, how do it fix this new behaviour ?!

Remapping the owner/group with chown is best done outside the container from the host, or delete the directory and recreate it with the right owner (inside the container).

- also, is there an alternate path, such as, Device Mount Points to a Container ?!

I don't understand the question, sorry.

 

[pkr]

thank you @leesteken

for context, i have the same set of 3 users (w3m, pk, smh) in both Host & Container
and when i log into the container w/ their respective credentials, i would prefer it lands on their respective home directories

Host: /etc/passwd

...
w3m:x:1000:1000:,,,:/home/w3m:/bin/bash
pk:x:1001:1001:,,,:/home/pk:/bin/bash
smh:x:1002:1002:,,,:/home/smh:/bin/bash

Host: /etc/group

...
w3m:x:1000:
pk:x:1001:
smh:x:1002:

Container: /etc/passwd

...
w3m:x:1000:1000:,,,:/home/w3m:/bin/bash
pk:x:1001:1001:,,,:/home/pk:/bin/bash
smh:x:1002:1002:,,,:/home/smh:/bin/bash

Container: /etc/group

...
w3m:x:1000:
pk:x:1001:
smh:x:1002:

question:
- should i be reconsidering a different way of mapping UID/GID, for this behaviour to happen ?

 

[Forssux]

Hi there,

it seems I believe that this

lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2000 102000 63536
lxc.idmap: g 2000 102000 63536

needs to become this:

lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 1003 101003 63533
lxc.idmap: g 1003 101003 63533

Furthermore if you created a user before changing the /etc/pve/lxc/201.conf that user has got a number ID like 1000 or something else inside the container.
If you do this inside your pve:
pct mount 201
it will mount the container inside /var/lib/lxc/201/rootfs.

so you could do:
ls -al /var/lib/lxc/rootfs/home

You'll now see the user/group and wrights how it's now to PVE

Like @leesteken wrote you probably will have the /home/w3m now to nobody and nogroup you'll need to change that.