PBS in unprivileged Container: UID mapping problem


New Member
Sep 4, 2023
I installed PBS in an unprivileged Container.

The HDD I want to use for the backup is mounted on the host

cat /etc/fstab
LABEL="Backup_Proxmox" /mnt/backup/    ext4    defaults        0 2

I created a directory /mnt/backup/pbs/store1 on the HDD, changed the permission to backup:backup and mounted it in the container
ls -la /mnt/backup/pbs/
total 12
drwxr-xr-x 3 root   root   4096 Oct 16 08:19 .
drwxr-xr-x 7 guido  root   4096 Oct 16 08:12 ..
drwxr-xr-x 2 backup backup 4096 Oct 16 14:11 store1
pct set 102 -mp0 /mnt/backup/pbs/store1,mp=/backup/store1

Then I added the UID/GID mapping for the "backup" user in /etc/pve/lxc/102.conf
lxc.idmap: u 0 100000 34
lxc.idmap: u 34 34 1
lxc.idmap: u 35 100035 65501
lxc.idmap: g 0 100000 34
lxc.idmap: g 34 34 1
lxc.idmap: g 35 100035 65501

And added root:34:1 to /etc/subuid and /etc/subgid

Now my mountpoint in PBS looks like this:
ls -la /backup
total 13
drwxr-xr-x  3 root   root      3 Oct 16 06:30 .
drwxr-xr-x 18 root   root     24 Oct 16 13:26 ..
drwxr-xr-x  2 backup backup 4096 Oct 16 12:11 store1

When I try to create the datastore as root I get an error:
proxmox-backup-manager datastore create store1 /backup/store1

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: unable to read "/etc/proxmox-backup/authkey.key" - Permission denied (os error 13)', src/auth_helpers.rs:182:65
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Also as root it is not possible to ls
root@pbs:/backup# ls -la /etc/proxmox-backup/authkey.key
ls: cannot access '/etc/proxmox-backup/authkey.key': Permission denied

When I remove the UID/GID mappings the ls command works, but then I can not access the mounted directory.
Changing the user/group remapping won't touch already exising files. You changed the UID of the LXCs backup user from 100034 to 34. So now that user got a UID of 34 but all files previously owned by that user are still owned by UID 100034 so the user can't access them anymore.

So you need either to:
a) start from scratch and do your remapping before starting the LXC for the first time so all stuff gets created using UID 34 and not 100034.
b) use "pct mount" to mount the LXCs filesystem on the PVE host, then "chown" every file and folder from UID/GID 1000034 to 34 and unmount it.
c) restore a backup from before doing the UID/GID remapping and then simply chown your /mnt/backup to UID:GID 100034:100034 instead of 34:34 and completely ignore the remapping
Last edited:
Thank you very much @Dunuin

I tried taking the hard way using b)

pct stop 102
pct mount 102

cd /var/lib/lxc/102/rootfs

chown 34:34 etc/proxmox-backup/
chown -R :34 etc/proxmox-backup/
chown 34:34 etc/proxmox-backup/.acl.lck
chown 34:34 etc/proxmox-backup/.datastore.lck
chown 34:34 etc/proxmox-backup/tfa.json.lock
chown 34:34 etc/proxmox-backup/.user.lck

chown 34:34 var/lib/proxmox-backup/
chown -R 34:34 var/lib/proxmox-backup/jobstates/
chown -R 34:34 var/lib/proxmox-backup/rrdb
chown -R 34:34 var/lib/proxmox-backup/tape

chown -R 34:34 var/log/proxmox-backup/

cd /
pct unmount 102
pct start 102

PBS could be started again :D

and tadaahhh
proxmox-backup-manager datastore create store1 /backup/store1
Chunkstore create: 1%
Chunkstore create: 2%
Chunkstore create: 98%
Chunkstore create: 99%


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!