Permission denied for a user writing to a mounted share in a CT, but not root.

Psilospiral

Member
Jun 25, 2019
38
11
13
52
I am running PVE 5.4-11 on a r720xd configured with two containers. One is TKL File Server (100) which is configured with several cifs shares. Those shares are accessible and writable on numerous PCs on the LAN.

I have TKL Syncthing (101) installed as the second container. I am attempting to utilize the /syncthing share hosted from the TKL File Server as the default storage for the Syncthing container.

I have first added the /syncthing storage share in PVE webUI by: Datacenter>Storage>Add>CIFS, entering the TKL File Server IP, credentials, selecting '/syncthing' from the share list that PVE provides, and type: Disk image. This creates /mnt/pve/syncthing on the host.

I then nano /etc/pve/lxc/101.conf (the Syncthing CT) and add to the last line: mp0: /mnt/pve/syncthing,mp=/mnt/syncthing

When I launch CT 101 console and 'ls /mnt/syncthing' I can see test files I 'touch'ed from the host as well as on CLI in the syncthing container. So all seems good.

However, when attempting to add a new sync folder from within Syncthing webUI, it complains: Failed to create folder root directory mkdir /mnt/syncthing/[new_shared_folder]: permission denied. Syncthing's default local directory is /home/syncthing/Sync , so I:

Code:
ls -Al /home/syncthing/Sync
syncthing syncthing
ls -Al /mnt/syncthing
root root

and therefore tried to:

Code:
chown syncthing:syncthing /mnt/syncthing

but received the same permission denied error from syncthing UI. And sure enough:

Code:
ls -Al /mnt/syncthing
root root

So it looks like I cannot change ownership of the mounted share to allow user 'syncthing' write permission. However, I can 'touch /mnt/pve/synthing/testfrompveroot' as root from PVE ssh and 'touch /mnt/syncthing/testfromsyncthingroot' as root from the container console without any problem. I have tried adding write permission to the group with no luck as well:

Code:
root@syncthing /mnt/syncthing# ls -Al
total 2048
drwxr-xr-x 2 root root 0 Aug 25 18:50 images
-rwxr-xr-x 1 root root 0 Aug 25 18:35 testfrompveroot.txt
-rwxr-xr-x 1 root root 0 Aug 25 19:10 testfromsyncthingroot.txt
root@syncthing /mnt/syncthing# chown -R syncthing:syncthing /mnt/syncthing
root@syncthing /mnt/syncthing# ls -Al
total 2048
drwxr-xr-x 2 root root 0 Aug 25 18:50 images
-rwxr-xr-x 1 root root 0 Aug 25 18:35 testfrompveroot.txt
-rwxr-xr-x 1 root root 0 Aug 25 19:10 testfromsyncthingroot.txt
root@syncthing /mnt/syncthing# chmod -R g+w /mnt/syncthing
root@syncthing /mnt/syncthing# ls -Al
total 2048
drwxr-xr-x 2 root root 0 Aug 25 18:50 images
-rwxr-xr-x 1 root root 0 Aug 25 18:35 testfrompveroot.txt
-rwxr-xr-x 1 root root 0 Aug 25 19:10 testfromsyncthingroot.txt

I also tried adding write permission to /mnt/pve/syncthing from the PVE side with no luck.

I have tried adding 'allow mount fstype=cifs,' to the last line in /etc/apparmor.d/lxc/lxc-default prior to the closing '}' with no luck as
well. How do I grant write permission to a container user to write to a mounted share that is mount in PVE - or - what am I doing wrong here?
 
I have first added the /syncthing storage share in PVE webUI by: Datacenter>Storage>Add>CIFS, entering the TKL File Server IP, credentials, selecting '/syncthing' from the share list that PVE provides, and type: Disk image. This creates /mnt/pve/syncthing on the host.

I then nano /etc/pve/lxc/101.conf (the Syncthing CT) and add to the last line: mp0: /mnt/pve/syncthing,mp=/mnt/syncthing

I mean, you just mount a CIFS share as root at the PVE host and then bindmount it to the CT, which keeps the permissions, thus still root.

You could allow CIFS for the CT, besides the way you proposed this can also be done over the Webinterface at CT -> Options -> Features and then mount it inside the CT (add a CIFS line to fstab, you could copy and edit the one from the PVE host grep cifs /etc/mtab) and set the uid and gid to the syncthing ones, you an get them by executing id syncthing from inside the CT.
 
t.lamprecht:

Thank you for the suggestion. FYI: In PVE webUI: Datacenter>101 (syncthing)>Options>Features, I have nesting=1, mount=nfs,cifs. Aso, Unprivileged container= No.

From within TKL Syncthing CT (101) console:
Code:
root@syncthing ~# id syncthing
uid=999(syncthing) gid=999(syncthing) groups=999(syncthing)
When I tried to nano /etc/mtab in the PVE host as root and alter uid=999 and gid=999, I received '[ Error writing /etc/mtab: Invalid argument ]' on saving. So I had to:
Code:
root@pve-r720xd1:~# cp /etc/mtab /etc/mtab.bak
root@pve-r720xd1:~# cp /etc/mtab /etc/mtab.new
root@pve-r720xd1:~# nano /etc/mtab.new
Alter the uid=0 to uid=999 and gid=0 to gid=999, save, then:
Code:
root@pve-r720xd1:~# rm /etc/mtab
root@pve-r720xd1:~# cp /etc/mtab.new /etc/mtab
then reboot to be safe. Upon reboot, the uid and gid both revert to 0.

I decided to try the same thing on /etc/mtab from within the syncthing CT, but upon reboot the uid and gid also revert to 0.
 
t.lamprecht:

So after realizing I could not alter the ownership of the mounted directory from within the CT, I decided to try to mount a directory under the syncthing user home directory:

Code:
root@syncthing ~# su - syncthing
$ pwd
/home/syncthing
$ mkdir share
$ ls -hAl
total 36K
-rw-r--r-- 1 syncthing syncthing  220 May 15  2017 .bash_logout
-rw-r--r-- 1 syncthing syncthing 2.1K Oct 17  2018 .bashrc
drwxr-xr-x 2 syncthing syncthing 4.0K Oct 17  2018 .bashrc.d
drwx------ 3 syncthing syncthing 4.0K Aug 27 19:11 .config
-rw-r--r-- 1 syncthing syncthing  746 Oct 17  2018 .profile
drwxr-xr-x 2 syncthing syncthing 4.0K Oct 17  2018 .profile.d
drwx------ 2 syncthing syncthing 4.0K Oct 17  2018 .ssh
drwxr-xr-x 3 syncthing syncthing 4.0K Aug 27 19:11 Sync
drwxr-xr-x 2 syncthing syncthing 4.0K Aug 27 19:20 share

After this, I changed my mountpoint in the PVE host /etc/fstab from 'mp0: /mnt/pve/syncthing,mp=/mnt/syncthing' to 'mp0: /mnt/pve/syncthing,mp=/home/syncthing/share and restarted the container. Then in syncthing CLI:

Code:
root@syncthing ~# su - syncthing
$ ls -hAl
total 36K
-rw-r--r-- 1 syncthing syncthing  220 May 15  2017 .bash_logout
-rw-r--r-- 1 syncthing syncthing 2.1K Oct 17  2018 .bashrc
drwxr-xr-x 2 syncthing syncthing 4.0K Oct 17  2018 .bashrc.d
drwx------ 3 syncthing syncthing 4.0K Aug 27 19:11 .config
-rw-r--r-- 1 syncthing syncthing  746 Oct 17  2018 .profile
drwxr-xr-x 2 syncthing syncthing 4.0K Oct 17  2018 .profile.d
drwx------ 2 syncthing syncthing 4.0K Oct 17  2018 .ssh
drwxr-xr-x 3 syncthing syncthing 4.0K Aug 27 19:11 Sync
drwxr-xr-x 2 root      root      4.0K Aug 27 19:20 share

Ownership of the /home/syncthing/share directory changes to root on reboot, which I believe is what is preventing the user syncthing permission to write to the mountpoint/share.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!