[SOLVED] Pass/Mount hard drives on proxmox host to unpriviledged LXC. [solved by bpak]

dankkster

New Member
Jan 24, 2023
23
1
3
I have read quite a few different posts and articles on the subject of adding/passing through hard drives to VM's and LXCs, however I have not found any to get this working for me. Probably from user error tbh.

I have an ubuntu 22.04 LXC in a proxmox host. I am trying to add 6 hard drives to the LXC. The container is unprivileged and I only need read access to these drives. I am having difficulty trying to figure out how to actually add them. Most posts talk about binding the directories, but dont elaborate on what to do before that. This is where I am having an issue.

Basically I have a little chia container running machinaris in docker using a compose file and just need it to be able to read the data on the drives. Thats it. I dont need to see it in any other container nor the host for that matter. How would I do that? I really feel like I am missing something terrible simple here.

Thanks for any help.
 
Last edited:
I may not understand your question properly, but I will try to help.

When stating "passing through hard drives", do you mean sharing the contents of your drives from your host to your LXC CT? Or do you mean sharing the hardware devices (called block devices) themselves? To make it simple: can you see the contents of your drives from your host?

Assuming you mean "sharing the contents", I would guess that you problem resides in simple access rights, as the standard way to share data between host and CT are bind mounts, basically folders (or datasets in ZFS) that are mounted and shared to the CT.
When running an unprivileged CT, the user and group IDs are "translated", so that the user root (UID 0) on your CT will in fact be seen as UID + offset on the host. These offsets for user and group IDs are defined on your host, in the files /etc/subuid and /etc/subgid.
You can find more info about it in the proxmox wiki page about unprivileged CTs.

So, to make it simple, and assuming you have configured the bind mounts between host and the CT, please indicate us:
  • on your CT: what is the UID and GID of the user that needs to access your data? Just run id from shell
  • on your host:
    • what are the values of your uid/gid offsets: cat /etc/subuid and cat /etc/subgid (they are probably the same)?
    • who is the owner/group of the data you want to share, and the associated rights for owner/group/other? Just dump the result of ls -n (-n to display the IDs rather than names of owner/group)
We can suppose that <UID of owner> + <subuid> is different from <UID in CT> (and same for group). If confirmed, you will have to set the proper rights on your data, but it all depends on your case (whether you can change ownership or not).
 
Last edited:
You can use ACLs:

apt install acl

Host User 1000, LXC User 1001000

On Host:
as root
mkdir FOLDER

#Set ACL rwx for both Users:
setfacl -m u:1000:rwx FOLDER
setfacl -m u:1001000:rwx FOLDER

# Set default ACL (which will be inherited)
setfacl -m d:u:1000:rwx FOLDER
setfacl -m d:u:1001000:rwx FOLDER

This sets a acl for the user 1000 and 1001000 and also a default acl for both which will be inherited by files and directories inside FOLDER
You can view the acl with getfacl
 
To make it simple: can you see the contents of your drives from your host?
I cannot see the contents of the drives nor the drives at all.

assuming you have configured the bind mounts between host and the CT
I have not set up bind mounts yet, because I am not sure where or how to do that for my use case and I am using zfs for the proxmox OS drive and storage. However, the drives I need to be able to read are just regular NTFS drives and are in this proxmox host only to be read by this one container running ubuntu 22.04

  • on your CT: what is the UID and GID of the user that needs to access your data?
the UID and GID are both 0

  • on your host:
    • what are the values of your uid/gid offsets:
root:100000:65536

  • who is the owner/group of the data you want to share, and the associated rights for owner/group/other?
lrwxrwxrwx 1 0 0

I only need to be able to see and subsequently, as I mentioned earlier, read the data on the drives I am trying to get the LXC to "see." It does not need to write anything to the drives if this is of any help.

Let me know what you think I should do. Much appreciated!
 
I think I understand your issue better now: you have plugged your disks in your machine, and you would like to just read them from your Ubuntu, the same way as if your Ubuntu was running on the host, am I right?

Short answer: it is not possible with a CT, but it is possible with a VM.
The reason is that a LXC CT is lightweight, and has no kernel of its own, so basically it is not designed to manage hardware. Like a Docker container, they are rather similar in this aspect.
Just take a look at Proxmox web UI, in your CT > Resources, you will just be able to add mount points, not disks.
On the opposite, with a VM, you can add hardware, and for example some disks.

So basically you have 2 options, it depends on what is possible for you:
  1. you install ubuntu in a VM, share the disks (hardware), and you should be good
  2. you keep ubuntu in a CT, but then you will have to mount your disks on the host first (eg in /mnt/disk1, /mnt/disk2, ...), then share this mount points with the CT
 
If you choose solution #2, good news are that you may not have some access right issues, if the disks are formatted as NTFS, as NTFS does not handle POSIX access rights.
Unless you want to manage Windows-like rights in your Ubuntu (with Samba for example), because then you would have to play with ACLs as described by ubu above... but trust me if you can avoid it you should! :)
 
ok so I will try the ACL method, but I still dont have enough information to do that i dont think.

I dont know if I am to install ACL in the CT or on proxmox. I went ahead and tried to install acl in the container and it went fine, but it doesnt work on the host.

E: Package 'acl' has no installation candidate
then I am left with it not being able to do anything on the host as a result:
#: setfacl -m u:1000:rwx /mnt/share
-bash: setfacl: command not found
 
why doing that ? As I said, you probably don't need that, especially if you just need read access to your drives.

DM me if you want, I'll try to guide you
 
Last edited:
why doing that ? As I said, you probably don't need that, especially if you just need read access to your drives.

DM me if you want, I'll try to guide you
ok so I will try the ACL method, but I still dont have enough information to do that i dont think.

I dont know if I am to install ACL in the CT or on proxmox. I went ahead and tried to install acl in the container and it went fine, but it doesnt work on the host.


then I am left with it not being able to do anything on the host as a result:1.
1. If you can not install acl something is wrong with your sources.list
2. The Link is NOT only for privileged containers
2.1 You mount the Drive on the Host
mkdir /externaldata
mount /dev/sdc3 /externaldata
2.2 You bindmount it into your container
in /etc/pve/CTID.conf add
mp0: /externaldata,mp=/externaldata
3. Now you can chmod / chown your data so you can access it from the UID inside the guest OR use the ACLs
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!