Permissions for Docker on mounted smb share in LXC

D

dialbat

New Member
Feb 24, 2024
8
0
1
Hello folks,
My dockers do not have permissions for config volume, added through mount point.
TrueNAS smb share
10.0.0.5/docker username and password

/etc/fstab
//10.0.10.6/docker /mnt/docker cifs credentials=/etc/samba/docker-credentials,uid=100000,gid=100000,iocharset=utf8,_netdev 0 0

Share bind to mount point just fine, and can be written to from LXC container.
mp0: /mnt/docker,mp=/docker

I'm running Docker and when i point config volume to /docker, container runs, but cannot write to folder /docker - permission denied.

I'm running everything as root. What am i missing?
 
dialbat said:
I'm running everything as root.
Click to expand...
very bad idea

dialbat said:
I'm running Docker and when i point config volume to /docker, container runs, but cannot write to folder /docker - permission denied.
Click to expand...
What about without a container. Can you write from the guest OS root user?

Have you consided mounting the CIFS from the inside of the LX(C) container, maybe directly from docker-compose.yml?
 
LnxBil said:
very bad idea


What about without a container. Can you write from the guest OS root user?

Have you consided mounting the CIFS from the inside of the LX(C) container, maybe directly from docker-compose.yml?
Click to expand...
i'm aware that its bad, but i'm testing and needed less headache with permissions :)

from within LXC it writes to that folder without problems.

i wasn't aware i could mount from container directly. my idea was to setup mount bind on PVE, so it can be shared between other LXCs and VMs.
 
to bind smb as mount point to LXC, i had to set uid=100000,gid=100000 in /etc/fstab. That allows me to write within LXC.
containers are running with uid=1000,gid=1000. could that be the issue?
 
dialbat said:
to bind smb as mount point to LXC, i had to set uid=100000,gid=100000 in /etc/fstab
Click to expand...
Yes, this is for mapping to unpriviledged LX(C) container, so that root matches.

dialbat said:
containers are running with uid=1000,gid=1000. could that be the issue
Click to expand...
Yes, that is the problem. So the containers are not running as root. If all containers would run as 1000:1000, you can bind mount as uid=101000,gid=101000.
 
so, i should change /etc/fstab он PVE from
//10.0.10.6/docker /mnt/docker cifs credentials=/etc/samba/docker-credentials,uid=100000,gid=100000,iocharset=utf8,_netdev 0 0
to
//10.0.10.6/docker /mnt/docker cifs credentials=/etc/samba/docker-credentials,uid=101000,gid=101000,iocharset=utf8,_netdev 0 0
thats all?
 
dialbat said:
so, i should change /etc/fstab он PVE from
//10.0.10.6/docker /mnt/docker cifs credentials=/etc/samba/docker-credentials,uid=100000,gid=100000,iocharset=utf8,_netdev 0 0
to
//10.0.10.6/docker /mnt/docker cifs credentials=/etc/samba/docker-credentials,uid=101000,gid=101000,iocharset=utf8,_netdev 0 0
thats all?
Click to expand...
That depends on all other containers that will access the files if they run with 1000:1000 or can be changed to run with those numbers.
 
a day of pain dealing with unprivileged permissions. switched to privileged, it got a little bit better, but not completely :))
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom