[SOLVED] Presenting a CIFS share to a Container

sshaikh

Member
Apr 23, 2017
69
21
13
I have mounted a CIFs share in my proxmox host that presents files as owned by foo:users. Foo's id is 1002.

I want to present this share to a unprivileged container, I'm assuming using a bind mount.

The user in the container has id 1000:1000, and creates files like so.

I have added the following to my config:

=====
unprivileged: 1
mp0: /mnt/container-data/test-ct,mp=/appdata
#map ids to NAS proxmox sid/gid
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1002 1
lxc.id_map = g 1000 100 1
lxc.id_map = u 1001 101001 64530
lxc.id_map = g 1001 101001 64530
=====

and the following to subuid and subgid resp:

subuid: root:1002:1
subgid: root:100:1

This appears to do the job, and when entering the container using pct I can read and write to the mounted directory perfectly.

However I can no longer SSH, and can only enter via the host. Something has broken. Removing the 6 mappings brings it back again.

Is there something obvious I'm missing? Is the above approach the correct one?
 

Alwin

Proxmox Staff Member
Aug 1, 2017
4,617
449
88
Why not mount the share inside the container directly?
 
  • Like
Reactions: majorgear

sshaikh

Member
Apr 23, 2017
69
21
13
Well the idea was to abstract storage away from the containers, so they dont even know they're on a CIFs mount. That way the host would log in once, but configure access via bindmounts.

Seems a little more trouble than its worth though so might go with the container mounts, or maybe NFS via the host.
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,469
1,392
164
did you add the unprivileged manually to the config? it needs to be set at create/restore time, otherwise all the existing owners are wrong ;)
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
7,469
1,392
164
mounting on the host and bind-mounting in the container is correct. but your maps are wrong/too small. on many distros, the user "nobody" and the group "nogroup" have the uid/gid 65534, but your map only goes to 65531. sshd will attempt to drop privileges, and fail (you can see this in the container logs ;)). changing the 64530 to 64535 should fix your issue.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!