Bind Mount Points -- how to fix nobody : nogroup permission denied

pkr

New Member
Aug 22, 2023
23
1
1
context:
- prepared a NVMe (/dev/nvme1n1) drive on the PVE host
- created ext4 filesystem
- mounted on PVE host
- bind mount point the mounted directory on PVE host to Container (201)
-
Bash:
pct set 201 -mp0 /mnt/bindmounts/nvme1n1p1,mp=/mnt/nvme1n1p1-data
- similarly did a pcie passthrough to a Virtual Machine (301)
Bash:
qm set 301 -scsi2 /dev/disk/by-id/nvme-<device-id>
- was able to log into VM-301, and see the drive
- created a folder and file using non-root user
- was able to log into the CT-201, and see the drive

question:
- when log into CT-201, unable to create/cat the contents of any files on this drive

resources:
https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points
 
i made the following changes

/etc/pve/lxc/201.conf
Markdown (GitHub flavored):
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2001 102000 63535
lxc.idmap: g 2001 102000 63535

/etc/subgid
Markdown (GitHub flavored):
root:1002:1

/etc/subuid
Markdown (GitHub flavored):
root:1002:1

when i reboot the pve or container CT-201
i am seeing the following error, in weGUI Task History

Markdown (GitHub flavored):
lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed": newuidmap 21977 0 100000 1000 1000 1000 1 1001 1001 1 1002 1002 1 2001 102000 63535
lxc_spawn: 1788 Failed to set up id mapping.
TASK ERROR: startup for container '201' failed
 
just for now, i made the following changes and was able to boot the container

Markdown (GitHub flavored):
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2000 102000 63535
lxc.idmap: g 2000 102000 63535

however, i am keen to learn & understand, why/how i could to mapping for other UID/GUID as well

Markdown (GitHub flavored):
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
 
however, i am keen to learn & understand, why/how i could to mapping for other UID/GUID as well

Markdown (GitHub flavored):
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
You can do that exactly like your successful mapping of uid and gid 1002.
Markdown (GitHub flavored):
lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed": newuidmap 21977 0 100000 1000 1000 1000 1 1001 1001 1 1002 1002 1 2001 102000 63535
The error messages states that mapping uid 1000 is not allowed (by root). You'll get similar errors for gid 1000, uid 1001 and gid 1001.
/etc/subgid
Markdown (GitHub flavored):
root:1002:1

/etc/subuid
Markdown (GitHub flavored):
root:1002:1
You added permission for root only for uid and gid 1002, but not uid/gid 1000 and uid/gid 1000. Add those two in each and I expect it to work.
I don't think it's wise to remove the original root:100000:65536 from those files.
 
  • Like
Reactions: pkr
thank you @leesteken for your help, i have now made the following changes

/etc/pve/lxc/201.conf
Markdown (GitHub flavored):
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 2000 102000 63536
lxc.idmap: g 2000 102000 63536

/etc/subgid
Markdown (GitHub flavored):
root:100000:65536
w3m:165536:65536
pk:231072:65536
smh:296608:65536
root:1000:1
root:1001:1
root:1002:1

/etc/subuid
Markdown (GitHub flavored):
root:100000:65536
w3m:165536:65536
pk:231072:65536
smh:296608:65536
root:1000:1
root:1001:1
root:1002:1

Bind Mount Points /mnt/bindmount/nvme1n1p1
is what i want to share w/ Container CT-201
i have changed the ownership of this directory on host from root:root to smh:smh

Markdown (GitHub flavored):
root@pve:~# ls -l /mnt/bindmount
total 4
drwxr-xr-x 4 smh smh 4096 Sep  1 20:46 nvme1n1p1

observation:
- now i am able to start the Container CT-201
- when i log into CT-201 as user smh, it doesn't take me to its home directory, /home/smh ...instead it take me to /
- so, how do it fix this new behaviour ?!
- also, is there an alternate path, such as, Device Mount Points to a Container ?!
 
observation:
- now i am able to start the Container CT-201
Good.
- when i log into CT-201 as user smh, it doesn't take me to its home directory, /home/smh ...instead it take me to /
Check the owner and group of /home/smh inside the container. You mapped host user/group 1002 into the container but that does not change the owner/group of the existing files inside the container, which probably are still 101002:101002 and mapped to nobody:nogroup.
There is a common expectation that the owner/permissions of the files follow the user mapping but it does not, and there are several threads about this on this forum.
- so, how do it fix this new behaviour ?!
Remapping the owner/group with chown is best done outside the container from the host, or delete the directory and recreate it with the right owner (inside the container).
- also, is there an alternate path, such as, Device Mount Points to a Container ?!
I don't understand the question, sorry.
 
  • Like
Reactions: pkr
thank you @leesteken

for context, i have the same set of 3 users (w3m, pk, smh) in both Host & Container
and when i log into the container w/ their respective credentials, i would prefer it lands on their respective home directories

Host: /etc/passwd
Markdown (GitHub flavored):
...
w3m:x:1000:1000:,,,:/home/w3m:/bin/bash
pk:x:1001:1001:,,,:/home/pk:/bin/bash
smh:x:1002:1002:,,,:/home/smh:/bin/bash

Host: /etc/group
Markdown (GitHub flavored):
...
w3m:x:1000:
pk:x:1001:
smh:x:1002:

Container: /etc/passwd
Markdown (GitHub flavored):
...
w3m:x:1000:1000:,,,:/home/w3m:/bin/bash
pk:x:1001:1001:,,,:/home/pk:/bin/bash
smh:x:1002:1002:,,,:/home/smh:/bin/bash

Container: /etc/group
Markdown (GitHub flavored):
...
w3m:x:1000:
pk:x:1001:
smh:x:1002:


question:
- should i be reconsidering a different way of mapping UID/GID, for this behaviour to happen ?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!