How to mount external drive (exfat) into an unprivelaged lxc container for all users?

D

Dr.nassario

New Member
Feb 14, 2023
3
0
1
Hi,

I just downloaded proxmox and am loving it so far, but I cannot, for the life of me, figure out how to mount an exfat drive into an LXC.

So to start with, I plugged in my external hard drive (formatted as exFAT) and it showed up inside the proxmox gui under the nodes>disks tab.

After this, I opened a shell on the host and navigated to the /dev/disk/by-label and found my drive.

By running mount inside the host I can mount the exfat drive but any user besides the root user is unable to write to the drive (the drive permissions are drwxr-xr-x, and they cannot be changed because it's exfat). So to fix this, I ran mount with the umask=000 option which then set the default permissions of the drive to drwxrwxrwx. Now, any user on my host shell can read and write to the drive. Note: I mounted the drive on the host just to test it, when running the container the host does not have the drive mounted.

Next, I created a Ubuntu 22 lxc (unprivelaged) and added a mount point in the 102.conf file as follows:

mp0: /dev/disk/by-label/mydrive mp=/mnt/nas, backup=0

This successfully added the drive into the lxc container, however, the drive had the old drwxr-xr-x permissions, and the owner was of ID 65534 (nobody:nogroup).

To fix this, I looked up some id mappings of host root to container root, which worked. Also, simply setting the container as privilaged worked too.

However, this came with two problems. One, the root user on the container now either had an ID of 0 or was privileged. And two, additional users on the container still cannot write to the drive because of its permissions.

While looking for other solutions, I also tried creating fstab files which did not work and also tried forwarding the drive entirely using cgroup.allow which also did not work.

Is there any way to forward the umask=000 parameters to the container mountpoint configuration (mp0 = /drive)? If not, is there any proper way to create an ID mapping of root to a group maybe? Because the exfat mount point is mounted as root, it would also work if we could id map the root user to a group on the container which would allow all users in the group write access to the drive?

Tl;dr: exFat drive is mounted with root ownership and no write permissions. Fixing it with id mappings or setting the container to privelaged worked but does not allow multiple users write access.
 
Also when viewing the /proc/mounts file inside the container using an lxc mount point (mp0: /dev/sda) I can see that proxmox is adding the file and directory masks of 022.

Code: 
> cat /proc/mounts
/dev/sda1 /mnt/nas exfat rw,relatime,fmask=0022,dmask=0022,iocharset=utf8,errors=remount-ro 0 0

If I can simply find a way to cleanly change the 0022 to something like 0000 it would instantly fix my problem.
 
Hi, the docs somewhat discourage using device mountpoints. I don't know if they are problematic in your use case, but wanted to pitch another possibility: First mounting the HDD on the host, and then using a bind mount to make that mountpoint available to the container. Also, instead of allowing everyone full access to the drive with umask, you could try using the uid/gid mount options instead, to limit access to a specific group.

I imagine something like this could work:
1) Mount the HDD on the host to /mnt/host-hdd, setting gid=101000 and umask=0002. This should give group 101000 on the host read-write access to the files, and read-only access to everyone else (besides root). In the default LXC gid mapping, group 101000 on the host corresponds to group 1000 inside the container.
2) Bind-mount /mnt/host-hdd inside the container, e.g. mp0: /mnt/host-hdd,mp=/mnt/lxc-hdd
3) Inside the container, create a group with gid 1000 and add all users who should have access to /mnt/lxc-hdd

Now, members of group 1000 inside the container should have read-write access, but non-members inside the container can only read.
 
fweber said:
Hi, the docs somewhat discourage using device mountpoints. I don't know if they are problematic in your use case, but wanted to pitch another possibility: First mounting the HDD on the host, and then using a bind mount to make that mountpoint available to the container. Also, instead of allowing everyone full access to the drive with umask, you could try using the uid/gid mount options instead, to limit access to a specific group.

I imagine something like this could work:
1) Mount the HDD on the host to /mnt/host-hdd, setting gid=101000 and umask=0002. This should give group 101000 on the host read-write access to the files, and read-only access to everyone else (besides root). In the default LXC gid mapping, group 101000 on the host corresponds to group 1000 inside the container.
2) Bind-mount /mnt/host-hdd inside the container, e.g. mp0: /mnt/host-hdd,mp=/mnt/lxc-hdd
3) Inside the container, create a group with gid 1000 and add all users who should have access to /mnt/lxc-hdd

Now, members of group 1000 inside the container should have read-write access, but non-members inside the container can only read.
Click to expand...
Thats exactly the setup we have right now, I just didn't know if this was the optimal way to do this in Proxmox. Thank you!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back