[SOLVED] Presenting a CIFS share to a Container

[sshaikh]

I have mounted a CIFs share in my proxmox host that presents files as owned by foo:users. Foo's id is 1002.

I want to present this share to a unprivileged container, I'm assuming using a bind mount.

The user in the container has id 1000:1000, and creates files like so.

I have added the following to my config:

=====
unprivileged: 1
mp0: /mnt/container-data/test-ct,mp=/appdata
#map ids to NAS proxmox sid/gid
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1002 1
lxc.id_map = g 1000 100 1
lxc.id_map = u 1001 101001 64530
lxc.id_map = g 1001 101001 64530
=====

and the following to subuid and subgid resp:

subuid: root:1002:1
subgid: root:100:1

This appears to do the job, and when entering the container using pct I can read and write to the mounted directory perfectly.

However I can no longer SSH, and can only enter via the host. Something has broken. Removing the 6 mappings brings it back again.

Is there something obvious I'm missing? Is the above approach the correct one?

 

[Alwin]

Why not mount the share inside the container directly?

 

[sshaikh]

Well the idea was to abstract storage away from the containers, so they dont even know they're on a CIFs mount. That way the host would log in once, but configure access via bindmounts.

Seems a little more trouble than its worth though so might go with the container mounts, or maybe NFS via the host.

 

[fabian]

did you add the unprivileged manually to the config? it needs to be set at create/restore time, otherwise all the existing owners are wrong

 

[sshaikh]

It was at creation yes - I included it above for context.

I also heeded the advice here, to set up the mappings before user creation:

https://forum.proxmox.com/threads/unprivileged-lxc-and-bind-mount-woes.32545/

 

[sshaikh]

Why not mount the share inside the container directly?

It appears that one cannot mount CIFS shares from within a mount anyway... so we're back to square one.

What's the SOP for a situation like this?

 

[fabian]

mounting on the host and bind-mounting in the container is correct. but your maps are wrong/too small. on many distros, the user "nobody" and the group "nogroup" have the uid/gid 65534, but your map only goes to 65531. sshd will attempt to drop privileges, and fail (you can see this in the container logs ). changing the 64530 to 64535 should fix your issue.

 

[sshaikh]

Thank you all for the insight.

I've actually stumbled across a solution here:

https://bayton.org/docs/linux/lxd/mount-cifssmb-shares-rw-in-lxd-containers/

Namely passing

uid=101001,gid=101001

when mounting the share (in the host) will present files there with the above uid and gid. These can then be read and written to via a simple bindmount - no mapping necessary.