LXC Bindmounts (ZFS Directory mount) - Unwritable from LXC

[ameeno]

Hello friends.


I have tried to follow numerous guides and numerous steps, doing my research before posting here to trouble you.

Ultimately, I want the container to be able to read and write to a zfs hosted volume, that is writable from the host.


I have tried:
----
privileged, nested lxc,
*but that causes issues and is a security risk (but the folder is writable). However, docker won't start.* - all sorts of chroot/kernel bugs

----
I have tried an unprivileged container: (with nested & keyctl)
the folder is UNWRITABLE. Hence I am here

----
I have tried starting as unprivileged, then manually wiping the privileged flag:
the folder is writable, but UID's messed up, can't ssh in, etc. many bugs.

Here is my configs for you to check:
lxc:

arch: amd64
cores: 1
features: keyctl=1,nesting=1
hostname: docker
memory: 1024
mp0: /mnt/bindmounts/zfs_docker,mp=/share
net0: name=eth0,bridge=vmbr0,hwaddr=DE:48:C5:9C:13:22,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: b-local-zfs:subvol-100-disk-0,size=16G
startup: order=1
swap: 1024
unprivileged: 1

Here is my zfs list:

root@pve:~# zfs list
NAME                          USED  AVAIL     REFER  MOUNTPOINT
tank                         1.56G  6.58T       96K  /tank
tank/data                     715M  6.58T      104K  /tank/data
tank/data/subvol-100-disk-0   715M  15.3G      715M  /tank/data/subvol-100-disk-0
tank/docker_persistant         96K  6.58T       96K  /mnt/bindmounts/zfs_docker
tank/storage                  876M  6.58T      876M  /mnt/zfs_storage

Here is my inside lxc writing attempts/ls

root@docker:/share# ls -al
total 10
drwxr-xr-x  3 nobody nogroup  3 May 23 13:30 .
drwxr-xr-x 22 root   root    22 May 23 14:54 ..
drwxr-xr-x  3 nobody nogroup  3 May 23 13:30 portainer
root@docker:/share# touch hello
touch: cannot touch 'hello': Permission denied
root@docker:/share#

Here is my mount ls from host:

root@pve:/mnt/bindmounts/zfs_docker# ls -al
total 5
drwxr-xr-x 3 root root    3 May 23 14:30 .
drwxr-xr-x 3 root root 4096 May 23 15:39 ..
drwxr-xr-x 3 root root    3 May 23 14:30 portainer
root@pve:/mnt/bindmounts/zfs_docker#

Can you advise what I am doing incorrectly?



Thanks for your time.

 

[BobhWasatch]

Root in the container is not the same user ID as root on the host. Note how the directory is owned by "nobody" inside the container. You must make the directory writable by the appropriate container user ID. Maybe inside the container do "id", then make the folder owned by that ID outside (there won't be a matching name).

ETA: This is also why the user ID's are "messed up" when you forcibly switch an unprivileged container to privileged. Privileged has the same UID's as the host, unprivileged does not.

 

[ameeno]

i did ID inside the container and it said 0

 

[BobhWasatch]

Yeah, didn't think that one through. It looks normal from inside the container. On my system if I do "ps axu" I see the CT processes running with UID 100000 or higher. So root would be 100000.

To be sure, you could temporarily chmod 777 the mountpoint on the host, then touch a file there from in the container. There is also a way to specify a mapping for a particular user or group: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[ameeno]

well i have not made any progress with this, I have reinstalled proxmox multiple times.

LXC containers simply dont start with a zfs dataset mapped at mp0 (persistant or unpersistant.)