Cannot access shared folder on unprivileged LXC container due to permissions

[reynierpm]

I have created an LXC container using the Ubuntu Server LTS image and the configuration looks like this:

arch: amd64
cores: 6
features: nesting=1
hostname: ct-downloads
memory: 4096
mp0: /media/share/downloads,mp=/downloads
nameserver: 192.168.11.1
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.xx.x,hwaddr=BC:24:11:58:25:7F,ip=192.168.xx.xxx/24,type=veth
ostype: ubuntu
rootfs: zfs_disk:subvol-104-disk-0,size=150G
swap: 2048
unprivileged: 1

Following all the below guides I mounted the NFS shared folders within the host and can see and explore the shared content in the host.

Guides:
- https://forum.proxmox.com/threads/unable-to-use-nfs-share-within-lxc-container.58045/#post-267777
- https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points

If I go inside the container the first thing I see is the `/downloads` folder created as:

drwxrwxrwx+  10 nobody nogroup 4096 Jan 26 01:43 downloads

And of course, if I try to list/access the content inside the `/downloads` I get a permission denied:

root@ct-downloads:~# cd /downloads/
-bash: cd: /downloads/: Permission denied

How can I fix this issue? I know one option is to create a privilege container but I don't want to go down that path unless is strictly needed

 

[Dunuin]

You have to temper with user remapping. See here: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[reynierpm]

@Dunuin docs are not clear to me and after reading them I am getting lost. Running `id nobody` in the host (PVE) gives me:

root@pve:~# id nobody
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

But this part is not clear to me at all from the docs:

# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host)
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530

Do I need to copy all the above in `/etc/pve/lxc/104.conf` and then continue with what the docs say?

 

[Dunuin]

Do I need to copy all the above in `/etc/pve/lxc/104.conf` and then continue with what the docs say?

No, you need to edit that to match your UIDs/GIDs in the guestOS. What is does is mapping UID/GID 1005 in the LXC to 1005 on the host instead of the default mapping where UID/GID 1005 in the XC gets mapped to UID/GID 101005 on the host. So this would only help if your NFS share would be owned by UID/GID 1005 and you want a user with the UID/GID 1005 inside the LXC to use it.
With different UID/GID you will habe to change all the lines.

root@pve:~# id nobody uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)

Unprivileged LXC means all UIDs/GIDs 0 to 65535 inside the LXC are actually UIDs/GIDs 100000 to 165535 on the host. So everything is shifted by 100000.
So if your NFS share for example is owned by UID 1000 on the host then the user with UID 1000 in the LXC won't be able to access it, as that user in reality is using the UID 101000 and not owning that NFS share.

 

[reynierpm]

this is still a little bit obscure to me the shared folder in the host (we are talking here about PVE, right?) is owned by root:

root@pve:~# ls -la /media/share/
total 92
drwxr-xr-x   5 root root  4096 Jan 26 09:50 .
drwxr-xr-x   3 root root  4096 Jan 26 09:50 ..
drwxrwxrwx+ 10 root root  4096 Jan 25 20:43 downloads

which has id: 0 and gid: 0

root@pve:~# id
uid=0(root) gid=0(root) groups=0(root)

how would my `lxc.idmap` would be?

 

[Dunuin]

The NFS share shouldn't be owned by root. To be able to access it in the LXC you would need to map your hosts (this is the PVE) root user to the LXCs user which will basically make your LXC as insecure as using a privileged LXC in the first place.

Rule of thumb for security: Never run stuff as root unless you can't avoid it.

 

[reynierpm]

You're right there, I should not be using `root` to mount these shared resources.

I will hijack this post for a second and apologize in advance. I have "created" a new user `ctuser` (aka container user) which I plan to use to mount the resources I did it through the UI but I am unable to see the user within the system which makes me wonder whether the user is a system user or is a UI thing user

root@pve:~# id ctuser
id: ‘ctuser’: no such user

I read the docs at https://pve.proxmox.com/wiki/User_Management and went through the CLI using `pveum` would give me the same result. Should I just create the user as I normally do in Debian? Should I create a new group for this user and add the user to it or should I use any other existent group?

adduser ctuser

 

[Dunuin]

Yes, you have to create users via cli with adduser. Both on the host, the NFS server and LXC and ideally with the same UIDs so user remapping will be a bit simpler.

 

[reynierpm]

Alright, here is all I did:

1. Create a user and a group in the container as follows:

groupadd -g 2006 ctgroup
useradd ctuser -u 2006 -g 2006 -m -s /bin/bash

2. Create the same user and group in the host (Proxmox) using the same commands as above.
3. Edit the file `/etc/pve/lxc/104.conf` and add the following:

lxc.idmap: u 2006 102006 1
lxc.idmap: g 2006 102006 1

4. Give permissions to the newly user to the NFS mounted folder:

chown -R ctuser:root /media/share/downloads

5. Edit the `/etc/fstab` file and change the automount option so the user `ctuser` can read/write into the directory:

192.168.11.xx:/Downloads    /media/share/downloads   nfs user,auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0

But when I try to start the container it fails with the following error:

cgfsng_chown: 1721 No such file or directory - Error requesting cgroup chown in new user namespace
__lxc_start: 2107 Failed to spawn container "104"
TASK ERROR: startup for container '104' failed

Any ideas in what I did wrong or what I missed here?

 

[Dunuin]

You need to remap ALL of the 65536 UIDs/GIDs!
So something like:

# map 0 - 2005 in LXC to 100000 - 102005 on host:
lxc.idmap = u 0 100000 2006
lxc.idmap = g 0 100000 2006
# map 2006 in LXC to 2006 on host:
lxc.idmap = u 2006 2006 1
lxc.idmap = g 2006 2006 1
# map 2007 - 65535 in LXC to 102007 - 165535 on host:
lxc.idmap = u 2007 102007 63529
lxc.idmap = g 2007 102007 63529

...for the LXCs config file as well as...

root:2006:1

...for the hosts /etc/subuid and /etc/subgid files.
If you want to access a folder owned by UID 2006 on the host with the UID 2006 inside the unprivileged LXC.

 

[reynierpm]

After making your suggested changes I was able to start the container however I am still unable to access `/downloads`:

ls -la /downloads/
ls: cannot open directory '/downloads/': Permission denied

And I double-checked the existence of t he user `ctuser` and it does exist:

root@ct-downloads:~# id ctuser
uid=2006(ctuser) gid=2006(ctgroup) groups=2006(ctgroup)
p/code]

any ideas?

 

[Dunuin]

should I append `root:2006:1`?

Yes and for the subgid too.

 

[leesteken]

lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [2006-2007) -> [2006-2007) not allowed": newuidmap 18581 0 100000 2006 2006 2006 1 2007 102007 63529
lxc_spawn: 1788 Failed to set up id mapping.
__lxc_start: 2107 Failed to spawn container "104"
TASK ERROR: startup for container '104' failed

It says that it is not allow to map the user, so you need to fix that in /etc/subuid.

The `subuid` contains the following:

root:100000:65536
ctuser:165536:65536

That does not look correct and explains the error.

should I append `root:2006:1`?

Yes, see the earlier post:

as well as...

root:2006:1

...for the hosts /etc/subuid and /etc/subgid files.

 

[reynierpm]

@leesteken / @Dunuin I am still missing something the content of `/etc/subuid` is as follows:

root:100000:65536
ctuser:165536:65536

root:2006:1

and the content of `/etc/subgid`

root:100000:65536
ctuser:165536:65536

root:2006:1

and I was able to start the container however I can't access the `/downloads` directory in the container. I have checked the permissions in the host and they looks fine to me:

root@pve:~# ls -la /media/share/
total 92
drwxr-xr-x  5 ctuser root  4096 Jan 26 09:50 .
drwxr-xr-x  3 root   root  4096 Jan 26 09:50 ..
drwxrwxrwx  7 ctuser root  4096 Jan 27 11:08 downloads

what else am I missing?

 

[Thomas717]

It is now nearly a year since the last post. Did you syccessfully manage to get access to the folder in the LCX?
I am having exactly the same problem as @reynierpm. Are we the only ones?

This issue is not mentioned in any of the tutorials I found for feeding the content of a NAS to a Jellyfin container.