CIFS or NFS mount inside unprivleged container

[Republicus]

I was writing a response to another thread and some error occurred and I can no longer find the post.
This is not a question but may be useful for anyone else who may be attempting to add a network share within an unprivileged container as a mount point and wish to gain write access permissions.

I had earlier needed to do this with CIFS, but now am using NFS needed to accomplish the same access. This should be similar for other network shares.

The issue with an unprivileged container and mount point permissions is in the nature of the unprivileged container's altered uid/gid of root which do not match up with root on the host or share.

Mounting the share with unprivileged container UID/GID will give them write permissions inside the privleged container.

Network Share Server

chown the share directory:
(May require recursive if your share is not empty)
chown 101001:101001 /path/to/share

NFS Server

edit your /etc/exports:
# If present: remove no_root_squash # Include all_squash,anonuid=101001,anongid=101001 /path/to/share 10.10.0.0/24(rw,async,insecure,all_squash,anonuid=101001,anongid=101001,no_subtree_check)

On PVE Datacenter, add NFS storage as usual.

CIFS/SMB

Modify /etc/fstab on each PVE node:
# Your CIFS options may vary, include uid=101001,gid=101001 //servername/sharename /path/to/mount cifs username=USER,password=PASSWORD,uid=101001,gid=101001,iocharset=utf8,noperm 0 0

Remount FSTAB mounts
mount -a

Container Config
edit lxc config on PVE node /etc/pve/lxc/XXX.conf; add
mp0: /path/to/host/share,mp=/path/to/mount

 

[monsignore]

Hello,

Thanks for sharing these informations.

I'm trying to mount a SMB/CIFS share in a Turnkey Centos8 LXC hosted in Proxmox 6.1-5.
The share is provided by a physical server ClearOS Linux distro.

I tried your method both privilegied and unprivilegied but aleas I get the very same result :


Unprivilegied

[root@Docker-Centos ~]# ls -lan /media
total 12
drwxr-xr-x  3 100000 100000 4096 Jan 26 09:56 .
drwxr-xr-x 19 100000 100000 4096 Jan 27 06:51 ..
drwxr-xr-x  2 101001 101001 4096 Jan 26 09:56 shared

[root@Docker-Centos ~]# cat /etc/fstab
//192.1681.XYZ/shared /media/shared cifs username=XXXXXXXXXXX,password=XXXXXXXXXXX,uid=101001,gid=101001,iocharset=utf8,noperm 0 0

[root@Docker-Centos ~]# mount -a
mount: only root can use "--all" option (effective UID is 100000)

I tried also with uid gid "100000" as error message advise but same result.



Privilegied

[root@CentosPrivilegied media]# ls -lan
total 12
drwxr-xr-x  3 0 0 4096 Jan 26 11:46 .
drwxr-xr-x 19 0 0 4096 Jan 27 06:53 ..
drwxr-xr-x  2 0 0 4096 Jan 26 11:46 shared
[root@CentosPrivilegied media]# chown 101001:101001 sharedd
chown: cannot access '/shared': No such file or directory

[root@CentosPrivilegied media]# cat /etc/fstab
//192.1681.222/shared /media/shared cifs username=monsignore,password=aqwxc,uid=0,gid=0,iocharset=utf8,noperm 0 0

[root@CentosPrivilegied media]# mount -a
mount: /media/shared: permission denied.

dmesg states :

[1015513.129597] audit: type=1400 audit(1580108141.243:148): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-106_</var/lib/lxc>" name="/media/shared/" pid=20425 comm="mount" fstype="cifs" srcname="//192.1681.XYZ/shared" flags="rw, nosuid, nodev, noexec"

Did you encounter this problem please ?
Thanks in advance for your help.

 

[monsignore]

A solution for Priviligied Container :

https://forum.proxmox.com/threads/vm-and-lxc-mount-cifs-problem-solved.64157/#post-290981

 

[gechu]

Thanks for the writeup! Are there any performance implications of bouncing via the host for each file access?

 

[majorgear]

A solution for Priviligied Container :

https://forum.proxmox.com/threads/vm-and-lxc-mount-cifs-problem-solved.64157/#post-290981

But the question is "CIFS or NFS mount inside unprivleged container" ...