Hi all,
I am trying to get an unprivileged LXC container running Nextcloud AIO (in docker) and access a bind-mounted NFS share on the host for the media files.
The unprivileged LXC container (id 106) running the nfs-server.
all files on lxc id 106 are owned by user www-data (uid: 33):
the user www-data is in group lxc_shares with gid 10000:
On the proxmox host I have bind-mounted the nfs share:
the files are owned by user www-data:
So it seems for me, everything is working until this point - if I understand the wiki and tutorials correct.
So now I have added this bind-mount to the unpriviileged LXC container (id 101) running Nextcloud-AIO and made the uid mapping for user www-data (uid = 33)
I have adjusted the subuid and subgid files on the proxmox host for user www-data (gid 33):
in the unpriviliged LXC container the ownership of the mounted nfs folders look like this:
I am possible to read but not write the files with the root user in the LXC container:
I don't know if it's a problem, but I don't really understand why.
With the user www-data it's possible to read & write the files:
So until this point it seems everything is working. The user ww-data has read&write access to all files.
On the LXC container with the nfs-server (lxc id 106), on the Proxmox host and on the unprivileged LXC containerr for Nextcloud AIO (lxc id 101).
I don't understand why root is not possible to write the files inside lxc id 101 but okay.
Now the problem is starting: When I try to start Nextcloud AIO (via docker) in the lxc id 101 it is not working. And the reasons seems to be the user-id mapping:
The folder d9a436... does not exist, but all files inside the parent folder are owned by root:
So I gues it's something with the user id mapping. And root does not have access to the root files inside the lxc container.
I do not really understand what is the problem or what triggers the problem.
Much thanks to everybody giving me hints what is the problem and how I can solve it.
I gues I haven't really understood the user id mapping but I thought I did everything exactly as told in the Proxmox wiki.
I am trying to get an unprivileged LXC container running Nextcloud AIO (in docker) and access a bind-mounted NFS share on the host for the media files.
The unprivileged LXC container (id 106) running the nfs-server.
Code:
root@fileserver2priv /# cat /etc/exports
# export to all known non-routable (local) networks
/srv/storage (no_root_squash,no_subtree_check,rw,fsid=1)all files on lxc id 106 are owned by user www-data (uid: 33):
Code:
root@fileserver2priv /srv/storage# ls -lah
total 130K
drwxr-xr-x 12 www-data www-data 13 Apr 11 23:57 .
drwxr-xr-x 4 root root 4 Jun 14 2024 ..
-rw-r--r-- 1 www-data www-data 0 Jan 8 2024 .nomedia
drwx------ 3 www-data www-data 3 Apr 10 19:07 .recycle
drwxr-xr-x 6 www-data www-data 7 Apr 10 12:40 audio
drwxr-xr-x 4 www-data www-data 5 Apr 1 09:10 filme
drwxr-xr-x 2 www-data www-data 3 Apr 11 23:58 nextcloud
drwxr-xr-x 128 www-data www-data 129 Apr 4 19:27 serien
drwxr-xr-x 2 www-data www-data 2 Apr 10 11:00 test
drwxr-xr-x 2 www-data www-data 2 Apr 10 11:32 test2
drwxr-xr-x 2 www-data www-data 2 Apr 10 11:32 test3
drwxr-xr-x 2 www-data www-data 2 Apr 10 11:52 test5
drwxr-xr-x 2 www-data www-data 2 Apr 10 12:28 test6the user www-data is in group lxc_shares with gid 10000:
Code:
root@fileserver2priv /srv/storage# id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data),10000(lxc_shares)On the proxmox host I have bind-mounted the nfs share:
Code:
root@dieter:~# cat /etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
#nfs shares for bind-mount
192.168.101.228:/srv/storage /mnt/nas-tank/nfs nfs rw,bg,intr,suid 0 0the files are owned by user www-data:
Code:
root@dieter:/mnt/nas-tank/nfs# ls -lah
total 122K
drwxr-xr-x 12 www-data www-data 13 Apr 12 01:57 .
drwxr-xr-x 5 root root 5 Apr 11 15:45 ..
drwxr-xr-x 6 www-data www-data 7 Apr 10 14:40 audio
drwxr-xr-x 4 www-data www-data 5 Apr 1 11:10 filme
drwxr-xr-x 2 www-data www-data 3 Apr 12 01:58 nextcloud
-rw-r--r-- 1 www-data www-data 0 Jan 9 2024 .nomedia
drwx------ 3 www-data www-data 3 Apr 10 21:07 .recycle
drwxr-xr-x 128 www-data www-data 129 Apr 4 21:27 serien
drwxr-xr-x 2 www-data www-data 2 Apr 10 13:00 test
drwxr-xr-x 2 www-data www-data 2 Apr 10 13:32 test2
drwxr-xr-x 2 www-data www-data 2 Apr 10 13:32 test3
drwxr-xr-x 2 www-data www-data 2 Apr 10 13:52 test5
drwxr-xr-x 2 www-data www-data 2 Apr 10 14:28 test6
root@dieter:/mnt/nas-tank/nfs/nextcloud# ls -lah
total 23K
drwxr-xr-x 2 www-data www-data 3 Apr 16 09:22 .
drwxr-xr-x 12 www-data www-data 13 Apr 12 01:57 ..
-rw-rw-r-- 1 www-data www-data 0 Apr 12 01:58 testdatei.txtSo it seems for me, everything is working until this point - if I understand the wiki and tutorials correct.
So now I have added this bind-mount to the unpriviileged LXC container (id 101) running Nextcloud-AIO and made the uid mapping for user www-data (uid = 33)
Code:
root@dieter:~# cat /etc/pve/lxc/101.conf
# uid map%3A from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) %E2%86%92 100000..101004 (host)
# we map 1 uid starting from uid 1005 onto 1005, so 1005 %E2%86%92 1005
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 %E2%86%92 101006..165535
arch: amd64
cores: 4
features: nesting=1
hostname: nextcloud
memory: 8192
mp0: /mnt/nas-tank/nfs/nextcloud,mp=/srv/nextcloud/data
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:40:72:10,ip=dhcp,ip6=dhcp,type=veth
onboot: 1
ostype: ubuntu
rootfs: container-zfs:subvol-101-disk-0,size=20G
swap: 8192
unprivileged: 1
lxc.idmap: u 0 100000 33
lxc.idmap: g 0 100000 33
lxc.idmap: u 33 33 1
lxc.idmap: g 33 33 1
lxc.idmap: u 34 100034 64530
lxc.idmap: g 34 100034 64530I have adjusted the subuid and subgid files on the proxmox host for user www-data (gid 33):
Code:
root@dieter:~# cat /etc/subuid
root:100000:65536
root:33:1
root@dieter:~# cat /etc/subgid
root:100000:65536
root:33:1in the unpriviliged LXC container the ownership of the mounted nfs folders look like this:
Code:
root@nextcloud:/srv/nextcloud/data# ls -lah
total 20K
drwxr-xr-x 2 www-data www-data 3 Apr 16 07:22 .
drwxr-xr-x 3 nobody nogroup 3 Apr 11 22:03 ..
-rw-rw-r-- 1 www-data www-data 0 Apr 11 23:58 testdatei.txtI am possible to read but not write the files with the root user in the LXC container:
Code:
root@nextcloud:/srv/nextcloud/data# cat testdatei.txt
Working!
root@nextcloud:/srv/nextcloud/data# echo "update" >> testdatei.txt
-bash: testdatei.txt: Permission deniedWith the user www-data it's possible to read & write the files:
Code:
root@nextcloud:/srv/nextcloud/data# sudo -u www-data -g www-data cat testdatei.txt
Working!
Code:
root@nextcloud:/srv/nextcloud/data# sudo -u www-data -g www-data nano testdatei.txt
root@nextcloud:/srv/nextcloud/data# cat testdatei.txt
Working!updateSo until this point it seems everything is working. The user ww-data has read&write access to all files.
On the LXC container with the nfs-server (lxc id 106), on the Proxmox host and on the unprivileged LXC containerr for Nextcloud AIO (lxc id 101).
I don't understand why root is not possible to write the files inside lxc id 101 but okay.
Now the problem is starting: When I try to start Nextcloud AIO (via docker) in the lxc id 101 it is not working. And the reasons seems to be the user-id mapping:
Code:
root@nextcloud:/srv/nextcloud/data# docker run -d \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 80:80 \
--publish 8080:8080 \
--publish 8443:8443 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--env NEXTCLOUD_MOUNT="/mnt/" \
--env NEXTCLOUD_DATADIR="/srv/nextcloud/data" \
ghcr.io/nextcloud-releases/all-in-one:latest
docker: Error response from daemon: lstat /var/lib/docker/overlay2/d9a43638e3f6dedae7dd6648a3b5a8fd406da799c6f49a2f5a8947c99eb02737/merged/var/www/docker-aio: permission deniedThe folder d9a436... does not exist, but all files inside the parent folder are owned by root:
Code:
root@nextcloud:/srv/nextcloud/data# cd /var/lib/docker/overlay2/
root@nextcloud:/var/lib/docker/overlay2# ls -lah
total 1.2M
drwx--x--- 130 root root 130 Apr 16 07:35 .
drwx--x--- 12 root root 13 Apr 16 07:19 ..
drwx--x--- 4 root root 7 Apr 11 22:32 d50984207dc01e542d22d155c7f492464448a5d885e41a3bc1fde244b99bb160
drwx--x--- 4 root root 7 Apr 11 22:34 d55f120b03710812041948f2123ba301b64a29948ecbdc2c650ba2c72587ca30
drwx--x--- 4 root root 7 Apr 11 22:36 d6587459225597716d7a59bfcab128749525b4d2f44fe36d8b96855859cf8739
drwx--x--- 4 root root 7 Apr 11 22:30 d7e941422f7ab14183b9901e0a0f3fd183d1c9ee91f30049f54a97701e95a456
drwx--x--- 4 root root 7 Apr 11 22:26 dcf6f72449b10919046132e9229ea248c78584b10deed545854911f53bfdbba2
drwx--x--- 4 root root 7 Apr 11 22:36 df568db7dd5dee5fe438491e274c5c184f71a876ade433306be672d99f9253eb
drwx--x--- 4 root root 7 Apr 11 22:34 dfe53eac6eca3bf9b1d64e98efcef5e65a8128adc591ca6fecd0adb30e9fd50e
drwx--x--- 4 root root 7 Apr 11 22:36 e3fdf3b6d27d2cfc2124268dd28bb26890b525cb3d21f34b00b3bd626821dc31
drwx--x--- 3 root root 5 Apr 11 22:36 e5295a09c2e9e7fcf4aed946667a7632ede7722e84181bb59f97e89b2c837b1b
drwx--x--- 4 root root 7 Apr 11 22:36 e8def575b7046b5122ddd619938692ed7d165c53f6dda9b12a35ea86ce88bcee
drwx--x--- 4 root root 7 Apr 11 22:31 e9347b2390326d3165ad8c3349245fb02c80b4374b06b50b63035b21d1ad6eb7
drwx--x--- 4 root root 7 Apr 11 22:36 ef4a0dd8e33c11e495e09a2ea67077161b00ff515e02690ca8ed6e9f4c442ae0
drwx--x--- 4 root root 7 Apr 11 22:31 f5c6c57a211e49675f827eea39620d8dcfacd8edf1e044a6e89926307be250e4
drwx--x--- 4 root root 7 Apr 11 22:31 f80931b3ed85df08e621ac216d56a97a54faa1e8578b586757c2d893f1ebfde0
drwx--x--- 4 root root 7 Apr 11 22:33 fd36afd06c31be36b3e1f10ce76b7806045a077584b4c3f09a4727b1253ab6c1
drwx--x--- 4 root root 7 Apr 11 22:34 fd84f26b29bc2329168f5badd76a925821fe4c4237802c2cb0164e6a166999d0
drwx--x--- 4 root root 7 Apr 11 22:26 fdfa7b8f528ec4307aea59561ccf4a275de076a54002c9acf778efeecd23d14e
drwx--x--- 4 root root 7 Apr 11 22:31 ff1ba5963d516abdb22c1f16f5b464cc6736e2153c444d3b25d908b34fb9a2c0
drwx------ 2 root root 129 Apr 16 07:35 lSo I gues it's something with the user id mapping. And root does not have access to the root files inside the lxc container.
I do not really understand what is the problem or what triggers the problem.
Much thanks to everybody giving me hints what is the problem and how I can solve it.
I gues I haven't really understood the user id mapping but I thought I did everything exactly as told in the Proxmox wiki.
Last edited: