[SOLVED] LXC CIFS: unmount not working - block devices are not permitted on filesystem

[TheHellSite]

I am facing a strange problem with my Arch Linux LXC running Jellyfin.

I mounted my media shares in the LXC which is working fine.
However, during every reboot, poweroff or stop of the LXC I need to kill the pve-process of the whole container because it simply won't shutdown.

At first I thought it was because I was mounting the shares using /etc/fstab instead of a systemd unit. But switching it over to a systemd unit didn't help.
After that I thought it was because Jellyfin is stopped after the system is trying to unmount my CIFS shares, but the syslog is showing the opposite (right) behaviour.

mount media systemd unit

/etc/systemd/system/mnt-media.mount
===================================
[Unit]
Description=Mount media share r/w at boot.
After=mnt-media.mount nss-lookup.target
BindsTo=mnt-media.mount

[Mount]
What=//NAS/nas/Media
Where=/mnt/media
Type=cifs
Options=_netdev,noatime,uid=jellyfin,gid=jellyfin,user=rw_smb_user,pass=x,iocharset=utf8
ForceUnmount=true
TimeoutSec=30

[Install]
WantedBy=multi-user.target

relevant syslog

        Dec 03 12:46:58 JELLY-LXC systemd[1]: Unmounting Mount media share r/o at boot....
Dec 03 12:46:58 JELLY-LXC systemd[1]: Stopping Record System Boot/Shutdown in UTMP...
        Dec 03 12:46:58 JELLY-LXC umount[127]: umount: /mnt/media: block devices are not permitted on filesystem.
        Dec 03 12:46:58 JELLY-LXC systemd[1]: mnt-media.mount: Mount process exited, code=exited, status=32/n/a
        Dec 03 12:46:58 JELLY-LXC systemd[1]: Failed unmounting Mount media share r/w at boot..

 

[TheHellSite]

Nobody here with an idea?

 

[Dunuin]

How did you configure your LXC? For unprivileged LXCs mounting NFS/SMB inside the LXC shouldn't work by default. For privileged LXCs that should work if you enable the NFS/CIFS feature but then you get problems with systemd because the newer linuxes need nesting to be able to access /dev and /proc and that isn't recommended because privileged LXCs are so insecure.

 

[TheHellSite]

The LXC is configured like this: priviliged=1,nesting=1,cifs=1
The CIFS share is working great within the LXC and doesn't create any problems whatsoever, apart from the reboot/shutdown issue.

Are priviliged LXCs really THAT unsafe?
The reason I went with an priviliged LXC instead of an unpriv. LXC (mapping the CIFS share from the PVE host to the LXC guest using bind mounts) is because I want to keep my PVE instance as stock as possible without manually altering too many config files.

Even though it might be unsafe shouldn't it still work without that strange bug I am facing?

 

[Dunuin]

Privileged LXCs are so unsafe because there so no user remapping. Your LXCs root used is the same root of your complete host. So if something gets wrong inside that LXC there is not much isolation. And with nesting you allow your LXC to access your /proc and /dev so the root user of the LXC may format all the disks in your server and stuff like that.

 

[TheHellSite]

Mhh I guess you are right. This exposes my server to unnecessary risk.

https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
I guess bind mounts are the way to go then and mounting the NAS share directly on proxmox.

 

[Dunuin]

Jup, thats the way I'm doing it with my Docker LXCs. Just a bit annoying because the guest is relying on a specific config of the host in order to be able to started. So just setting up a fresh PVE host and restoring guests from backups isn't working.

 

[TheHellSite]

This is why I was refusing to use unpriv. LXCs. I even tried the bind mounts before and it worked.

And since the changes are only necessary on the host and not in the LXC I think it would be nice to have this as a feature available in the web GUI.
This would make it a lot easier... I will open a feature request.

 

[TheHellSite]

I created a solution.

https://forum.proxmox.com/threads/tutorial-unprivileged-lxcs-mount-cifs-shares.101795/