Mount LVM in Unprivileged LXC Containers

J

Jim J

New Member
Oct 26, 2016
17
1
1
54
I am trying to mount a host LVM to multiple unprivileged containers but having little luck. Here is the relevant parts of my unprivileged container conf file.

What I have done:
Created a uid/gid on the HOST and CONTAINER for app-files (1005)

Code: 
mp0: local-lvm:vm-108-disk-3,mp=/mnt/MYDIR

lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005

lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1

lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530

And SUBGID/SUBUID respectively
Code: 
root@prox:/etc/pve/lxc# cat /etc/subgid
root:1005:1
root:100000:65536
systemd-timesync:100000:65536
systemd-network:165536:65536
systemd-resolve:231072:65536
systemd-bus-proxy:296608:65536
statd:362144:65536
sshd:427680:65536
messagebus:493216:65536
postfix:558752:65536
ais:624288:65536
app-files:689824:65536

Code: 
root@prox:/etc/pve/lxc# cat /etc/subuid
root:1005:1
root:100000:65536
systemd-timesync:100000:65536
systemd-network:165536:65536
systemd-resolve:231072:65536
systemd-bus-proxy:296608:65536
statd:362144:65536
sshd:427680:65536
messagebus:493216:65536
postfix:558752:65536
ais:624288:65536
app-files:689824:65536


But when I start the container, the shared mount is inaccessible.
Code: 
root@container:~# ls -l /mnt
total 184
drwxrwx--- 10 nobody nogroup 188416 Jun 29 18:47 MYDIR

Help!
 
Hi,

I don't know how your setup looks like,
but I would use acl and not try to remap you UID from unprivileged to privileged UID range.
 
Last edited:
but I would use acl and not try to remap you UID from unprivileged to privileged UID range.
Click to expand...
Are you suggestion I try with a user in a lower range like 100 to 499?
You mentioned ACL, and I presume you mean file permissions? I'm not to priv/unpriv containers, how does ACL factor in?
 
I'm trying to share a Logical Volume, I didn't think I could grant access to it since it's not a file or directory.

Code: 
mp0: local-lvm:vm-108-disk-3,mp=/mnt/MYDIR
I already created the target folder in the client container to be owned by the new user. I'm not sure that it matters though.
 
wolfgang said:
Hi,

I don't know how your setup looks like,
but I would use acl and not try to remap you UID from unprivileged to privileged UID range.
Click to expand...

Would you mind giving an example on how to set the acl on the host to allow unprivileged containers access to a mounted directory/file? I'm having some trouble with this myself.
 
Hi jtpavlock,

Simple turn it on the fs and turn it on the container mp.
How this works depends on your FS what you did not specify.
On the LXC side, it is just a checkbox what you have to check.
 
wolfgang said:
Hi jtpavlock,

Simple turn it on the fs and turn it on the container mp.
How this works depends on your FS what you did not specify.
On the LXC side, it is just a checkbox what you have to check.
Click to expand...

Thanks for the response, Wolfgang.

Got it working, and wow it seems much easier than fiddling with uid mappings I’m surprised it isn’t suggested in the wiki or something... I had a hard time finding this was even an alternative over the current suggested uid mapping method in the wiki.
 
@wolfgang, just to comfirm if I got it right:
You mention to turn on ACL on the container (checkbox).
This seems to work for cases where bind mounts are not being used

The pve documentation says:
Bind mounts are considered to not be managed by the storage subsystem, so you cannot make snapshots or deal with quotas from inside the container. With unprivileged containers you might run into permission problems caused by the user mapping and cannot use ACLs.
Click to expand...

So i'm not surprised that in my container using a bindmount to local ZFS storage the option is greyed out.

Am I right that when using bind mounts (on zfs), the only way to give proper permissions is to use id mapping?
 
Thanks

upload_2019-5-10_17-15-21.png

Option ACL is grayed out, but as you can see now it says Enabled.
I forgot that a bind mount point can only be edited via pct or in the container cfg file.
So I added acl=1 in the cfg

On the ZFS storage I have set:
xattr=sa
ACLTYPE=posixacl
ACLINHERIT=passthrough

I will play around with it and see if it fits the use case.
This thread is more about LVM, so if I've got more question perhaps it's better to start a separate thread.
 
  • Like
Reactions: Syrrys
janssensm said:
Thanks

View attachment 10243

Option ACL is grayed out, but as you can see now it says Enabled.
I forgot that a bind mount point can only be edited via pct or in the container cfg file.
So I added acl=1 in the cfg

On the ZFS storage I have set:
xattr=sa
ACLTYPE=posixacl
ACLINHERIT=passthrough

I will play around with it and see if it fits the use case.
This thread is more about LVM, so if I've got more question perhaps it's better to start a separate thread.
Click to expand...
OMG! This! I've been trying to figure this out for weeks!
I haven't solved my problem yet but since Proxmox enables ACL by default when mounting cephfs on the host I think this might be where I'm getting tripped up.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back