LXC Bind Mount

P

poxin

Well-Known Member
Jun 27, 2017
70
6
48
Having an issue with permissions on privileged containers (haven't even started with unprivileged yet).

I have a CT made with the bind mount
Code: 
mp0: /rpool/storage,mp=/storage

/rpool/storage is a zfs mount on the host and folders/files are owned as root by default. Inside the containers exist different users, such as a samba user or other service user. Even being unprivileged, they can't create files.
Code: 
touch: cannot touch 'test': Permission denied

This is mostly expected since they're owned by root. Changing it to nobody:nogroup didn't resolve it.

From my understanding for unprivileged containers: "the container takes the subuid and subgid ranges for root and mapping them to UIDs/GIDs inside the container". This appears to be working okay as long as the service inside the CT is using root. What about non-root users in the CT?

So my setup question would be: How could I have multiple different users from different containers be able to write to the mount /rpool/storage zfs directory on the host?
 
Last edited:
Tim H said:
Having an issue with permissions on privileged containers (haven't even started with unprivileged yet).

I have a CT made with the bind mount
Code: 
mp0: /rpool/storage,mp=/storage

/rpool/storage is a zfs mount on the host and folders/files are owned as root by default. Inside the containers exist different users, such as a samba user or other service user. Even being unprivileged, they can't create files.
Code: 
touch: cannot touch 'test': Permission denied

This is mostly expected since they're owned by root. Changing it to nobody:nogroup didn't resolve it.

From my understanding for unprivileged containers: "the container takes the subuid and subgid ranges for root and mapping them to UIDs/GIDs inside the container". This appears to be working okay as long as the service inside the CT is using root. What about non-root users in the CT?

So my setup question would be: How could I have multiple different users from different containers be able to write to the mount /rpool/storage zfs directory on the host?
Click to expand...

you'd need to map those uids and gids in the different containers to the same unprivileged uids and gids on the host, or set lax permissions that allow different unprivileged uids / gids to access the files.
 
Hi fabian. are talking about like this?
Code: 
<I can't paste external links>stgraber.org/2017/06/</I can't paste external links>
 
yes and no - that articles talks a lot about LXD, which we don't use. you can set idmaps in your containers configuration file in /etc/pve/nodes/NODE/lxc (the config key is "lxc.idmap", the values are as described in "man lxc.container.conf"). the default mapping is the same for all containers - so the user with UID 1000 in container A is mapped to the same host UID as the user with UID 1000 in container B. if you control the UIDs (e.g., you deploy your containers using some sort of config management, or your users are centrally managed via LDAP, or ..) this means that you can easily use matching user and group IDs and don't need to do anything special. alternatively, you can use idmaps to forcefully map different UIDs in container A and B to the same host UID if you really need that. usually people would want the opposite though - isolate everything even further by giving each container a different, non-overlapping mapping ;)
 
  • Like
Reactions: MikeWebb
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back