[partially SOLVED] bind mount(s) confusion with nextcloud and system users

[lz114]

Hey folks!

I know there are several threads related to bind mounts to unprivileged containers. I think I got on how to do it, but I do not know where to start in my case.

I've set up nextcloud, using tteks (rip!) script for alpine. The basic stuff is set up after some tweaking, but now I need two bind mounts. One should be the nextcloud data directory, the other is access to my media.

Within the container, I run nextcloud with

• user nextcloud
  • uid 104
• group www-data
  • gid 82

On my proxmox host

• uid 104 is taken
  • postfix user
• nextcloud user is not (yet) existing
• gid 82 is not taken
  • www-data has gid 33

My confusion is now on how to proceed with the nextcloud data directory (1.) and the media directory (2.)

1.) nextcloud data directory
I guess, I would need to create a nextcloud user on the host. As a next step, I would change the uid within to container to the uid of 'nextcloud' on the host? If so, I would align the container www-data gid to the one of the host.

• In this case, how would the lxc.idmap config and the /etc/sub{u,g}id need to be set?
• Is there a safe way to change the ids?

Alternative would be, to change the ids in the container to non system user values. Then I could go on with the many examples of the forum. But I don't know if there would be downsides for the nextcloud instance.

2.) media directory
On my proxmox host, the media files are owned by root:media. I guess I should create a media group in the nextcloud container, map the group in the same manner as I will map the www-data group and add nextcloud user to the group?

 

[lz114]

found my Issue why it was not working before. I have created As the uid/gids are not the same, I needed to have both values in
/etc/subuid:

root:100000:65536
root:999:1 # user id of nextcloud on proxmox host
root:104:1 # user id of nextcloud in container

and /etc/subgid:

root:100000:65536
root:33:1 # group id of www-data on proxmox host
root:82:1 # group id of www-data in container

(hint: comments are not allowed in these files)

and the /etc/pve/lxc/<ct_id>.conf containing

lxc.idmap: u 0 100000 104
lxc.idmap: u 104 999 1
lxc.idmap: u 105 100105 64530
lxc.idmap: g 0 100000 82
lxc.idmap: g 82 33 1
lxc.idmap: g 83 100083 64530

 

[lz114]

I now have different issues:
Within the container, the ownerships of nextcloud files has changed from 104:82 to 100104:100082 -_- I can't change the ownership, even with sudo. I also tried to mount the containers rootfs and change ownership from within the host. There I get Operation not permitted

How to avoid such issues?

edit: I think I can get towards a solution when I mount the rootfs to the Proxmox host and change the ownership to the user/group names. Tried IDs before, but it actually makes more sense to use the names, like for the bind mounts. Will try tomorrow.

 

[lz114]

yeah that did it.

[...]

edit: I think I can get towards a solution when I mount the rootfs to the Proxmox host and change the ownership to the user/group names. Tried IDs before, but it actually makes more sense to use the names, like for the bind mounts. Will try tomorrow.

yeah that did it. However a (minor?) issue is left

/proc, /sys and /lost+found are still owned by 65534:65534/nobody:nobody. I tried to change by name to root and by u/gid to 0 and 10000 from the host to mounted rootfs. Haven't noticed issues in system functionality, folder gets populated while system is running.But it doesn't feel good :/