[SOLVED] Help understand lxc bindmount

P

paolo86

New Member
Nov 28, 2024
3
1
3
Hi everyone,
following this doc page I have successfully shared a disk between two containers and the host. Both containers can read/write files but conceptually something is missing for me....

The first part is clear:

Code: 
# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host)
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530

here I'm mapping container uids to high values except for uid 1005.
uid 1005 in the container is mapped to the same uid of the host.

in /etc/subuid and /etc/subgid I add the line
Code: 
root:1005:1

The subuid and subgid configurations grant this mapped UID the privileges to act as UID 1005 on the host.

Ok also for the permission on host mounted disk
Code: 
chown -R 1005:1005 /mnt/pve/......

but (....and here I can't understad... ) when the container wants to write a file it uses the uid 0 (100000 on the host), not 1005.
How can it have the permissions to write on disk?

Thanks in advance.
 
Hi,
paolo86 said:
but (....and here I can't understad... ) when the container wants to write a file it uses the uid 0 (100000 on the host), not 1005.
How can it have the permissions to write on disk?
Click to expand...
you either need to create a user with ID 1005 inside the container and write as that user, or you need to map the container's root user to 1005, not the container's user with ID 1005.
 
Hi Fiona,
thanks for your reply.
Indeed I agree with you; what I struggle to understand is why the configuration, as reported in the doc page, allows my container to write files on the disk mounted in the host.
I'm missing some details of the configuration (also reported on the first post) that makes everything work.
 
I'm updating and resolving this thread.

To sum up:
I have a disk mounted on the host and a couple of unprivileged container that read/write files on it.
To setup the share I followed this page

The containerized application uses uid 0 that is translated to uid 100000 on the host.
When listing my shared disk permissions on the host I'm getting
Bash: 
drwxr-xr-x 13 1005 1005 /mnt/pve/shared

As said in my previous comments none of the container uses uid 1005 to read/write on the shared disk and this was confusing me.
After some research I discovered that unprivileged containers runs with CAP_DAC_OVERRIDE option enabled that allow them to read/write files
on the shared disk regardless of previously showed permissions.
To verify the capabilities of container's root user use the following command:
Bash: 
capsh --print

In the command output look for CAP_DAC_OVERRIDE. This capability allows the user to ignore file read, write, and execute permission checks, explaining why UID 100000 (mapped root) might still write on disk.
 
  • Like
Reactions: fiona
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom