Hi I'm trying to get uid/gid mapping up and running between proxmox and my vms for virtiofs shared folders.
My target is to have a dedicated ZFS dataset for the share that i will mount with
Whenever a guest service creates or manipulates a file on the share this uid/gid shall be translated on the host to the uid of the vm-user and gid should be
Currently I have the dataset, the group, the user and the share on the host. I have added an virtiofs share to the VM and can mount it inside the guest. In proxmox I configured this share via WebUI and enabled xattr support. I did not yet configure anything else. With this setup I can mount the share in the guest I can read/write form the guest. However currentliy there is no uid/guid translation.
What do I have to do to get this UID/GID translation running?
It seems on older versions this was possible with options such as security_model=mapped-xattr and uid=, gid=
Why is this not supported anymore or what is the modern alternative to this?
I'm new to all of this. The reason I want this is for securiy. I want to avoid that a compromised guest can get root on the host through virtiofs shares. Google and AI have teached me that uid/gid mapping is the way to go besides mounting the share with
Can somebody pleaes point me in the right direction or even teach me how to do this?
Thank you very much!
My target is to have a dedicated ZFS dataset for the share that i will mount with
nosuid,nodev,noexec parameters. I want a usergroup named virtiofs-users and then I want to create a dedicated user per VM that is part of the this usergroup and claims ownership of the shared folder that belongs to the VM. The share folder structure should be:
Code:
/mnt/appdata/
├─ <pve-id>-<hostname>
└─ <app-name>
├─ config # config data e.g. compose
├─ app # apllication config files
└─ data # application data, e.g. downloadsWhenever a guest service creates or manipulates a file on the share this uid/gid shall be translated on the host to the uid of the vm-user and gid should be
virtiofs-users.Currently I have the dataset, the group, the user and the share on the host. I have added an virtiofs share to the VM and can mount it inside the guest. In proxmox I configured this share via WebUI and enabled xattr support. I did not yet configure anything else. With this setup I can mount the share in the guest I can read/write form the guest. However currentliy there is no uid/guid translation.
What do I have to do to get this UID/GID translation running?
It seems on older versions this was possible with options such as security_model=mapped-xattr and uid=, gid=
Why is this not supported anymore or what is the modern alternative to this?
I'm new to all of this. The reason I want this is for securiy. I want to avoid that a compromised guest can get root on the host through virtiofs shares. Google and AI have teached me that uid/gid mapping is the way to go besides mounting the share with
nosuid,nodev,noexec but maybe this is the wrong approch.Can somebody pleaes point me in the right direction or even teach me how to do this?
Thank you very much!