I have a HDD connected to my PVE host, that holds data in various btrfs subvolumes. I would like to access (and ideally manage) them from an unprivileged LXC container.
After reading through several documentation pages and forum posts I attempted the following:
Create a "lxc_mount" group on the host (gid = 1000) and add root to it.
Change owning group of HDD and partition to lxc_mount via udev rule (and add symlinks for better visibility)
This seems to work fine. The disk and partition show up under /dev/lxc_use and I can mount btrfs subvolumes on the host.
I then tried to setup the container to be able to mount the volumes doing the following (after unmounting everything on the host):
Pass disk and partition to the container.
Create a "mount" group inside the container (gid = 1000) and add root to it.
Map mount to lxc_mount in /etc/pve/lxc/xxx.conf.
Set apparmor profile to lxc-container-default-with-mounting:
Edit /etc/subuid and /etc/subgid (not sure whether this is neccessary with the mapped group)
What else needs to be done? When I try to mount inside the container I get this error message:
dmesg does not show any information regarding the failed mount (neither does journalctl)
After reading through several documentation pages and forum posts I attempted the following:
Create a "lxc_mount" group on the host (gid = 1000) and add root to it.
Change owning group of HDD and partition to lxc_mount via udev rule (and add symlinks for better visibility)
Code:
SUBSYSTEM=="block", KERNEL=="sd[a-z]", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}=="xxx-yyy_zzzzz", SYMLINK+="lxc_use/disk_$env{ID_SERIAL}", GROUP="lxc_mount", MODE="0660"
SUBSYSTEM=="block", KERNEL=="sd[a-z][0-9]", ENV{DEVTYPE}=="partition", ENV{ID_FS_UUID}=="aaaa-bbbb-cccc-dddd-eeee", SYMLINK+="lxc_use/partition_$env{ID_FS_UUID}", GROUP="lxc_mount", MODE="0660"I then tried to setup the container to be able to mount the volumes doing the following (after unmounting everything on the host):
Pass disk and partition to the container.
Create a "mount" group inside the container (gid = 1000) and add root to it.
Map mount to lxc_mount in /etc/pve/lxc/xxx.conf.
Set apparmor profile to lxc-container-default-with-mounting:
Code:
dev0: /dev/lxc_use/disk_xxx-yyy_zzzzz
dev1: /dev/lxc_use/partition_aaaa-bbbb-cccc-dddd-eeee
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 1000
lxc.idmap: g 1000 1000 1
lxc.idmap: g 1001 101001 64535
lxc.apparmor.profile: lxc-container-default-with-mounting
Code:
root:1000:1
root:100000:65536What else needs to be done? When I try to mount inside the container I get this error message:
Code:
root@CTxxx:~# mkdir /mnt/hdd-root
root@CTxxx:~# mount /dev/lxc_use/partition_aaaa-bbbb-cccc-dddd-eeee /mnt/hdd-root/
mount: /mnt/hdd-root: permission denied.
dmesg(1) may have more information after failed mount system call.