[SOLVED] Presenting a CIFS share to a Container

sshaikh

Well-Known Member
Apr 23, 2017
78
22
48
I have mounted a CIFs share in my proxmox host that presents files as owned by foo:users. Foo's id is 1002.

I want to present this share to a unprivileged container, I'm assuming using a bind mount.

The user in the container has id 1000:1000, and creates files like so.

I have added the following to my config:

=====
unprivileged: 1
mp0: /mnt/container-data/test-ct,mp=/appdata
#map ids to NAS proxmox sid/gid
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1002 1
lxc.id_map = g 1000 100 1
lxc.id_map = u 1001 101001 64530
lxc.id_map = g 1001 101001 64530
=====

and the following to subuid and subgid resp:

subuid: root:1002:1
subgid: root:100:1

This appears to do the job, and when entering the container using pct I can read and write to the mounted directory perfectly.

However I can no longer SSH, and can only enter via the host. Something has broken. Removing the 6 mappings brings it back again.

Is there something obvious I'm missing? Is the above approach the correct one?
 
Why not mount the share inside the container directly?
 
  • Like
Reactions: majorgear
Well the idea was to abstract storage away from the containers, so they dont even know they're on a CIFs mount. That way the host would log in once, but configure access via bindmounts.

Seems a little more trouble than its worth though so might go with the container mounts, or maybe NFS via the host.
 
did you add the unprivileged manually to the config? it needs to be set at create/restore time, otherwise all the existing owners are wrong ;)
 
mounting on the host and bind-mounting in the container is correct. but your maps are wrong/too small. on many distros, the user "nobody" and the group "nogroup" have the uid/gid 65534, but your map only goes to 65531. sshd will attempt to drop privileges, and fail (you can see this in the container logs ;)). changing the 64530 to 64535 should fix your issue.