problems with uid/gid mapping on unprivileged lxc

[produn23]

I am now struggling a couple of days with this topic and all I tried didn't work so far.

Use case (for info)
I have a docker-container, setup with docker-compose in an unprivileged lxc. The container istself runs without problems and works as espected.
It is about paperlss-ngx which is a system for paperless document management.
paperless-ngx consumes files like pdfs out of a"consume" folder and works on them.
The idea ist to use a smb share as that "consume" folder, because scanners are able to scan directly into a smb share.

Preparation
I added a SMB share (which is set on a physically different NAS with OpenMediaVault) to PVE Host and then bind-mount this share into the lxc with

pct set 105 -mp0 /mnt/pve/smb-share,mp=/mnt/smb-share-lxc

Now this is the point where the problems start and I understand the point, that uids and gids are mapped between pve host and lxc containers for security reasons and therefore there will be permission issues in default config.
Being root in the lxc (which is unprivileged user 100000 in pve) I am not able to write into that bin-mount.

I went through this article https://pve.proxmox.com/wiki/Unprivileged_LXC_containers but didnt get it to work.

What I did:
I put this into /etc/pve/lxc/<lxc-id>.conf:

lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530

In /etc/subuid and /etc/subgid of the lxc I set

root:1005:1

respectively.

Then in the pve host I did

chown -R 1005:1005 /mnt/pve/<smb-share>

but ls -la still shows root:root with 0:0

I then started the lxc, but this fails. I tried within the cli as recommendend, the output is:

root@pve:~# lxc-start -F -n 105
lxc-start: 105: conf.c: lxc_map_ids: 3663 newuidmap failed to write mapping "newuidmap: uid range [1005-1006) -> [1005-1006) not allowed": newuidmap 166147 0 100000 1005 1005 1005 1 1006 101006 64530
lxc-start: 105: start.c: lxc_spawn: 1785 Failed to set up id mapping.
lxc-start: 105: start.c: __lxc_start: 2068 Failed to spawn container "105"
lxc-start: 105: tools/lxc_start.c: main: 306 The container failed to start

I am not shure, mybe I still didnt get one important point on this, or something else is wrong. I do not really understand this problem or the reason, why this fails.
Maybe someone could give a hint into a direction.

 

[Dunuin]

SMB is Microsoft propietary stuff and was designed with propietary filesystems like NTFS in mind that don't allow the full linux featureset. A SMB share for example needs to be mapped to a single UID/GID and all files written to the share then will be owned by that UID/GID. I guess your are using UID 0 when mounting the SMB share so all contents written will be owned by UID 0. If you want the contents to be owned by UID 1005 you should mount that SMB accordingly with options like "uid=1005,gid=1005" for example by creating a fstab entry like this:

//ip.of.your.nas/YourShare                        /mnt/pve/smb-share                cifs    auto,rw,credentials=/root/.yourCredentialsFileWithAccAndPasswd,uid=1005,gid=1005,file_mode=0660,dir_mode=0770       0       0

And don't forget to reboot the server.

 

[produn23]

@Dunuin yes, you are right, I did the mount of the smb-share as pve-root. I used the GUI and I didnt see a way to add parameters. But this might explain why chown this share didnt do anything. I`ll give a try with fstab.

And don't forget to reboot the server.

you mean the pve node?

Regarding the uid/gid mappings you would say this is correct? Because I wonder why the lxc didnt start with my settings and gives the mentioned errors.
In my testing case I did copy&paste from the wiki to reduce error potential as much as possible. Thats why I mapped the uid/gid of the docker-container to 1005, just for the example there.

And root:1005:1 comes into subuid/subgid file of the respective lxc and not the pve host, right?

Last but not least, its not about changing to an privileged container. I am looking explicitely a way to do it in an unprivileged lxc.

 

[Dunuin]

@Dunuin yes, you are right, I did the mount of the smb-share as pve-root. I used the GUI and I didnt see a way to add parameters. But this might explain why chown this share didnt do anything. I`ll give a try with fstab.

you mean the pve node?

Jup.

And root:1005:1 comes into subuid/subgid file of the respective lxc and not the pve host, right?

No, all that is done on the PVE host. Mounting SMB, editing "/etc/pve/lxc/<lxc-id>.conf", "/etc/subuid" and "/etc/subgid".

Also make sure to write everything down you are doing. Because in case you loose your system disk and need to installl PVE again, those LXCs won't work when restoring them from a backup, without editing your new PVE again with the same stuff as before.

 

[produn23]

First I mounted the share temporarily with mount -t cifs ...etc... to see if that works. -> works! owner and user of the mounted share ist 1005:1005

But what is still making trouble is id mapping. In fact, using the example from the wiki causes failure to start the lxc. I copied and pasted the example, and replaced default root:100000:65536 in /etc/subuid and /etc/subgid of the pve host with root:1005:1

so, for now I went back and reversed all changes. I have to dig more into id mapping for that, because obviously I do not fully understand how this works on lxc's in Proxmox.

Also make sure to write everything down you are doing. Because in case you loose your system disk and need to installl PVE again, those LXCs won't work when restoring them from a backup, whichout edit your new PVE again with the same stuff as before.

good pint

 

[Dunuin]

First I mounted the share temporarily with mount -t cifs ...etc... to see if that works. -> works! owner and user of the mounted share ist 1005:1005

But what is still making trouble is id mapping. In fact, using the example from the wiki causes failure to start the lxc. I copied and pasted the example, and replaced default root:100000:65536 in /etc/subuid and /etc/subgid of the pve host with root:1005:1

I can't really say that I completely understand the remapping, but as far as I know you want that root:1005:1 in addition to root:100000:65536.

And you might need to fix rights manually. Lets say you already got a folder that was owned by UID 1005 inside the LXC (so mapped to UID 101005 on the host) before editing the remapping. That folder then was owned on the host by UID 101005. But after editing the remapping the user with the UID 1005 inside the LXC will also be UID 1005 on the host. So the user with the UID 1005 inside the LXC can't no longer access files that were previously owned by him, because those files/folders are still owned by UID 101005. So to make UID 1005 inside the LXC be able to access those files/folders previously owned by him, you would need to chown all files (do that on the host not from inside the LXC) from UID/GID 101005 to UID/GID 1005.