Bind Mount Points -- how to fix nobody : nogroup permission denied

P

pkr

New Member
Aug 22, 2023
26
1
3
context:
- prepared a NVMe (/dev/nvme1n1) drive on the PVE host
- created ext4 filesystem
- mounted on PVE host
- bind mount point the mounted directory on PVE host to Container (201)
-
Bash: 
pct set 201 -mp0 /mnt/bindmounts/nvme1n1p1,mp=/mnt/nvme1n1p1-data
- similarly did a pcie passthrough to a Virtual Machine (301)
Bash: 
qm set 301 -scsi2 /dev/disk/by-id/nvme-<device-id>
- was able to log into VM-301, and see the drive
- created a folder and file using non-root user
- was able to log into the CT-201, and see the drive

question:
- when log into CT-201, unable to create/cat the contents of any files on this drive

resources:
https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points
 
i made the following changes

/etc/pve/lxc/201.conf
Markdown (GitHub flavored): 
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2001 102000 63535
lxc.idmap: g 2001 102000 63535

/etc/subgid
Markdown (GitHub flavored): 
root:1002:1

/etc/subuid
Markdown (GitHub flavored): 
root:1002:1

when i reboot the pve or container CT-201
i am seeing the following error, in weGUI Task History

Markdown (GitHub flavored): 
lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed": newuidmap 21977 0 100000 1000 1000 1000 1 1001 1001 1 1002 1002 1 2001 102000 63535
lxc_spawn: 1788 Failed to set up id mapping.
TASK ERROR: startup for container '201' failed
 
just for now, i made the following changes and was able to boot the container

Markdown (GitHub flavored): 
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2000 102000 63535
lxc.idmap: g 2000 102000 63535

however, i am keen to learn & understand, why/how i could to mapping for other UID/GUID as well

Markdown (GitHub flavored): 
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
 
pkr said:
however, i am keen to learn & understand, why/how i could to mapping for other UID/GUID as well

Markdown (GitHub flavored): 
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
Click to expand...
You can do that exactly like your successful mapping of uid and gid 1002.
pkr said:
Markdown (GitHub flavored): 
lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed": newuidmap 21977 0 100000 1000 1000 1000 1 1001 1001 1 1002 1002 1 2001 102000 63535
Click to expand...
The error messages states that mapping uid 1000 is not allowed (by root). You'll get similar errors for gid 1000, uid 1001 and gid 1001.
pkr said:
/etc/subgid
Markdown (GitHub flavored): 
root:1002:1

/etc/subuid
Markdown (GitHub flavored): 
root:1002:1
Click to expand...
You added permission for root only for uid and gid 1002, but not uid/gid 1000 and uid/gid 1000. Add those two in each and I expect it to work.
I don't think it's wise to remove the original root:100000:65536 from those files.
 
  • Like
Reactions: pkr
thank you @leesteken for your help, i have now made the following changes

/etc/pve/lxc/201.conf
Markdown (GitHub flavored): 
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2000 102000 63536
lxc.idmap: g 2000 102000 63536

/etc/subgid
Markdown (GitHub flavored): 
root:100000:65536
w3m:165536:65536
pk:231072:65536
smh:296608:65536
root:1000:1
root:1001:1
root:1002:1

/etc/subuid
Markdown (GitHub flavored): 
root:100000:65536
w3m:165536:65536
pk:231072:65536
smh:296608:65536
root:1000:1
root:1001:1
root:1002:1

Bind Mount Points /mnt/bindmount/nvme1n1p1
is what i want to share w/ Container CT-201
i have changed the ownership of this directory on host from root:root to smh:smh

Markdown (GitHub flavored): 
root@pve:~# ls -l /mnt/bindmount
total 4
drwxr-xr-x 4 smh smh 4096 Sep  1 20:46 nvme1n1p1

observation:
- now i am able to start the Container CT-201
- when i log into CT-201 as user smh, it doesn't take me to its home directory, /home/smh ...instead it take me to /
- so, how do it fix this new behaviour ?!
- also, is there an alternate path, such as, Device Mount Points to a Container ?!
 
pkr said:
observation:
- now i am able to start the Container CT-201
Click to expand...
Good.
pkr said:
- when i log into CT-201 as user smh, it doesn't take me to its home directory, /home/smh ...instead it take me to /
Click to expand...
Check the owner and group of /home/smh inside the container. You mapped host user/group 1002 into the container but that does not change the owner/group of the existing files inside the container, which probably are still 101002:101002 and mapped to nobody:nogroup.
There is a common expectation that the owner/permissions of the files follow the user mapping but it does not, and there are several threads about this on this forum.
pkr said:
- so, how do it fix this new behaviour ?!
Click to expand...
Remapping the owner/group with chown is best done outside the container from the host, or delete the directory and recreate it with the right owner (inside the container).
pkr said:
- also, is there an alternate path, such as, Device Mount Points to a Container ?!
Click to expand...
I don't understand the question, sorry.
 
  • Like
Reactions: pkr
thank you @leesteken

for context, i have the same set of 3 users (w3m, pk, smh) in both Host & Container
and when i log into the container w/ their respective credentials, i would prefer it lands on their respective home directories

Host: /etc/passwd
Markdown (GitHub flavored): 
...
w3m:x:1000:1000:,,,:/home/w3m:/bin/bash
pk:x:1001:1001:,,,:/home/pk:/bin/bash
smh:x:1002:1002:,,,:/home/smh:/bin/bash

Host: /etc/group
Markdown (GitHub flavored): 
...
w3m:x:1000:
pk:x:1001:
smh:x:1002:

Container: /etc/passwd
Markdown (GitHub flavored): 
...
w3m:x:1000:1000:,,,:/home/w3m:/bin/bash
pk:x:1001:1001:,,,:/home/pk:/bin/bash
smh:x:1002:1002:,,,:/home/smh:/bin/bash

Container: /etc/group
Markdown (GitHub flavored): 
...
w3m:x:1000:
pk:x:1001:
smh:x:1002:


question:
- should i be reconsidering a different way of mapping UID/GID, for this behaviour to happen ?
 
Hi there,

it seems I believe that this

Code: 
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2000 102000 63536
lxc.idmap: g 2000 102000 63536

needs to become this:

Code: 
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 1003 101003 63533
lxc.idmap: g 1003 101003 63533

Furthermore if you created a user before changing the /etc/pve/lxc/201.conf that user has got a number ID like 1000 or something else inside the container.
If you do this inside your pve:
pct mount 201
it will mount the container inside /var/lib/lxc/201/rootfs.

so you could do:
ls -al /var/lib/lxc/rootfs/home

You'll now see the user/group and wrights how it's now to PVE

Like @leesteken wrote you probably will have the /home/w3m now to nobody and nogroup you'll need to change that.
 
Last edited:
You must log in or register to reply here.
Top Bottom