Forward NTFS to Guest with permissions

fresh

New Member
Nov 28, 2022
17
0
1
Hello,

I have a problem with an NTFS disk, LXC guest systems and permissions.

I mount disk like this:
Code:
root@pve:~# cat /etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/sdb2 /mnt/pve/data ntfs-3g permissions 0

This leads to perfect permissions on pve host. I can put a chown and chmod on directories and CREATE/READ/DELETE files.

But when I forward the HDD like this to guest:
Code:
root@pve:/mnt/pve/data# cat /etc/pve/lxc/102.conf
arch: amd64
cores: 2
features: fuse=1,nesting=1
hostname: pveNextcloud
memory: 2048
mp0: /mnt/pve/data/syncthing/nextcloud,mp=/mnt/syncthing
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.XXX.1,hwaddr=72:95:XX:XX:XX:CA,ip=192.168.XXX.102/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-102-disk-0,size=32G
swap: 2048
unprivileged: 1

... in guest LXC, I can now READ and DELETE but NOT CREATE a new file?!?!
It says "permission denied". I'm root in guest system.


Some one has an idea?
fresh
 
Hello,

I have a problem with an NTFS disk, LXC guest systems and permissions.

I mount disk like this:
Code:
root@pve:~# cat /etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/sdb2 /mnt/pve/data ntfs-3g permissions 0

This leads to perfect permissions on pve host. I can put a chown and chmod on directories and CREATE/READ/DELETE files.

But when I forward the HDD like this to guest:
Code:
root@pve:/mnt/pve/data# cat /etc/pve/lxc/102.conf
arch: amd64
cores: 2
features: fuse=1,nesting=1
hostname: pveNextcloud
memory: 2048
mp0: /mnt/pve/data/syncthing/nextcloud,mp=/mnt/syncthing
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.XXX.1,hwaddr=72:95:XX:XX:XX:CA,ip=192.168.XXX.102/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-102-disk-0,size=32G
swap: 2048
unprivileged: 1

... in guest LXC, I can now READ and DELETE but NOT CREATE a new file?!?!
It says "permission denied". I'm root in guest system.


Some one has an idea?
fresh
Hi, what ownership and permissions do you have set on the folder as seen from the host? Please share the output as given by ls -la /mnt/pve/data/syncthing. Note that for the LXC root user to be able to write, the corespondingly mapped user on the host has to have the needed permissions [0].

What is strange, is that you state that you can delete files, did you maybe set acls on the folder? I am not even sure if NTFS and the ntfs-3g supports these.

I recommend against using poorly supported filesystems such as NTFS in PVE and on Linux in general, go for one of the many well supported ones instead if possible.

[0] https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
 
I would have taken ext4 if I could. Unfortunately, I am currently unable to back up the data to format the HDD as ext4. So I have to live with ntfs right now.
i don't know what acls is, so no I didn't set it up :)

After fstab/mount I entered once chown -R 101000:101000 on /mnt/pve/data and chmod -r 755 on directories and chmod 644 on files.

host:
Code:
root@pve:~# ls -la /mnt/pve/data/syncthing
total 41881
drwxr-xr-x 1 101000 101000     4096 Jul 17 22:54 .
drwxrwxrwx 1 root   root       4096 Jul 17 18:26 ..
-rw-r--r-- 1 101000 101000     1470 Jul 11 00:35 backup.sh
drwxr-xr-x 1 101000 101000        0 Jul 21 06:02 nextcloud
drwxr-xr-x 1 101000 101000        0 Jan 30 17:53 .stfolder

root@pve:~# ls -la /mnt/pve/data/syncthing/nextcloud
total 55001
drwxr-xr-x 1 101000 101000      464 Jul 21 16:34 .
drwxr-xr-x 1 101000 101000     4096 Jul 21 16:17 ..
-rw-r--r-- 1 101000 101000      559 Jun  3 10:36 backup.sh
drwxrwx--- 1 101000 101000     4096 Jul 20 23:47 data
-rw-r--r-- 1 101000 101000 56309028 Jul 21 06:02 nextcloud.tar.7z
-rw-r--r-- 1 101000 101000        0 Jul 21 16:32 test

guest:
Code:
root@pveNextcloud:~# ls -la /mnt/syncthing/
total 55001
drwxr-xr-x 1   1000 1000      464 Jul 21 14:34 .
drwxr-xr-x 3   root root     4096 Jul 21 14:28 ..
-rw-r--r-- 1   1000 1000      559 Jun  3 08:36 backup.sh
drwxrwx--- 1   1000 1000     4096 Jul 20 21:47 data
-rw-r--r-- 1   1000 1000 56309028 Jul 21 04:02 nextcloud.tar.7z
-rw-r--r-- 1   1000 1000        0 Jul 21 14:32 test




Commands:
root on host can everything. CRUD. no problems.

guest:
Code:
root@pveNextcloud:/mnt/syncthing# touch test2
touch: cannot touch 'test2': Permission denied

root@pveNextcloud:/mnt/syncthing# cp test test2
cp: cannot create regular file 'test2': Permission denied

root@pveNextcloud:/mnt/syncthing# rm test

root@pveNextcloud:/mnt/syncthing# ls -la
total 55001
drwxr-xr-x 1 1000 1000      368 Jul 21 14:39 .
drwxr-xr-x 3 root root     4096 Jul 21 14:28 ..
-rw-r--r-- 1 1000 1000      559 Jun  3 08:36 backup.sh
drwxrwx--- 1 1000 1000     4096 Jul 20 21:47 data
-rw-r--r-- 1 1000 1000 56309028 Jul 21 04:02 nextcloud.tar.7z
like described: deletion is possible: test file is gone after rm on guest. touch or cp is not possible.



I also found this on different guest (101):

host:
Code:
root@pve:~# cat /etc/pve/lxc/101.conf
arch: amd64
cores: 4
features: fuse=1,nesting=1
hostname: pveDocker
memory: 8192
mp0: /mnt/pve/data,mp=/mnt/data
mp1: /mnt/pve/data/syncthing,mp=/mnt/syncthing
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.95.1,hwaddr=2E:EA:2B:C0:21:3A,ip=192.168.95.101/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-101-disk-0,size=100G
swap: 8192
unprivileged: 1
lxc.cgroup2.devices.allow: c 189:* rwm
lxc.mount.entry: usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_3418bcfb9d29ec1192916d7840c9ce8d-if00-port0 dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_3418bcfb9d29ec1192916d7840c9ce8d-if00-port0 none bind,optional,create=file
lxc.cgroup2.devices.allow: c 188:* rwm
lxc.mount.entry: /dev/ttyUSB0 dev/ttyUSB0 none bind,optional,create=file
=> on guest, /mnt/data/syncthing/nextcloud === /mnt/syncthing/nextcloud

guest:

Code:
root@pveDocker:/mnt/data/syncthing/nextcloud# touch test2
touch: cannot touch 'test2': Permission denied

root@pveDocker:/mnt/data/syncthing/nextcloud# cp test test2
cp: cannot create regular file 'test2': Permission denied

root@pveDocker:/mnt/data/syncthing/nextcloud# touch /mnt/data/test2

root@pveDocker:/mnt/data/syncthing/nextcloud# ls -l /mnt/data/test2
-rw-r--r-- 1 root root 0 Jul 21 16:47 /mnt/data/test2

root@pveDocker:/mnt/data/syncthing/nextcloud# mv /mnt/data/test2 .

root@pveDocker:/mnt/data/syncthing/nextcloud# ls -la
total 55002
drwxr-xr-x 1 1000 1000      560 Jul 21 16:48 .
drwxr-xr-x 1 1000 1000     4096 Jul 21 16:17 ..
-rw-r--r-- 1 1000 1000      559 Jun  3 10:36 backup.sh
drwxrwx--- 1 1000 1000     4096 Jul 20 23:47 data
-rw-r--r-- 1 1000 1000 56309028 Jul 21 06:02 nextcloud.tar.7z
-rw-r--r-- 1 1000 1000        0 Jul 21 16:41 test
-rw-r--r-- 1 root   root          0 Jul 21 16:47 test2
So a file creation is not possible, but I can move files here?

The funny part is, that this move "hack" is not possible directly to /mnt/syncthing/nextcloud.

So maybe here is the problem? Is double mount allowed?
Code:
mp0: /mnt/pve/data,mp=/mnt/data
mp1: /mnt/pve/data/syncthing,mp=/mnt/syncthing
 
Last edited:
Ok. I created on guest user xyz with userid 1000.
user xyz can CRUD files. so everything fine here.
but why has root on guest less permission than xyz on guest? root can only RUD
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!