Proxmox LXC, Docker, NFS, and the beast.

[geist325]

Howdy! I'm sure what I'd like to do is possible, however I'm not having any luck so far.
I have a Debian 11 based unprivileged LXC, pretty much everything works fine. Many of my Docker configs however, I'd like to offload to an NFS share.
I'd followed this guide,
https://forum.proxmox.com/threads/tutorial-mounting-nfs-share-to-an-unprivileged-lxc.138506/

, and have the NFS shares mounted on the Proxmox host (via FSTAB), and they are present on the LXC container as well.
Getting a console on the LXC, I have full permissions on the share to create, modify, and delete files/folders.
I've installed Docker on this LXC, following this guide:
https://benheater.com/proxmox-run-docker-on-linux-containers-lxc/

I've modified the *.conf to reflect:
mp0: /directory/,mp=/directory
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
(I also run Tailscale within the container)

Now here's where the problem happens:

Creating Docker containers/volumes is just fine, however, when I attempt to bind the config directory in my Docker container to a directory on the NFS share, I get:
chmod: changing permissions of '/config': Operation not permitted
chown: changing ownership of '/config': Operation not permitted

I'm missing something here, I'm just not sure where!
Any guidance would be greatly appreciated, thanks guys!

 

[0xBEN]

Is it an unprivileged LXC? If so, it's probably due to uid and gid mapping issue, where root in the container does not actually map to root uid and gid outside the container.

A couple of things I've written to expand upon this concept with unprivileged LXC further are:

https://notes.benheater.com/books/proxmox/page/nfs-lxc-backups-permissions-issue-synology

https://notes.benheater.com/books/linux-administration/page/proxmox-unprivileged-lxc-workaround

 

[geist325]

Hmm, that did not seem to do the trick for me unfortunately. I've verified the appropriate changes both on the host and within the LXC config.




I still get errors when trying to start the Docker container (running from the LXC), pointing to a storage config bind on the NFS share.

 

[0xBEN]

I'm replying from my phone, so my apologies if my initial response wasn't clear. That second link I posted with the Proxmox LXC workaround pertains more to joining LXC to an Active Directory domain and allowing users with high numbered uids and gids to authenticate. I was simply trying to give you some references where I've had to come up with some workarounds to the uid/gid mismatch in various scenarios with unprivileged LXC.

The first link I shared would be more relevant as it pertains to allowing a LXC to map a NFS share where the LXC root user uid/gid doesn't map to root's uid/gid on the host.

Adding the uid/gid mapping as you've shown in your screenshot probably won't help in any way. You can remove those uid /gid mappings from your lxc.conf file. Try checking out that first link where you might have to use a NFS squash option to allow the mapping given the uid/gid mismatch.

 

[geist325]

Gotcha, I appreciate it!

I think I understand what the issue is, but unsure how to take a corrective measure relevant to my particulat setup here.

 

[0xBEN]

I am by no means a NFS expert here, so I welcome feedback from the community. But you might try configuring the NFS share with all_squash and see if that allows the user in your Linux Container to mount the share.

https://linux.die.net/man/5/exports

 

[geist325]

I did try that, does not seem to care. It's a little complex, with a network share, Proxmox mount, translation to the LXC, and then Docker.
I have now tried the same with mounting via SSHFS via the pve host, same results, it has to be the way that the pve host is handing the NFS/SSHFS mount to the LXC.

 

[geist325]

Okay! I have it working with CIFS. I suppose I missed a part, it just has to be this way, with CIFS.

fstab on pve host:
//sambaserver/share/ /localdirectory cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0777,file_mode=0777,user=myuser,pass=mypass) 0 0

Done!

 

[0xBEN]

What did you do differently this time that wasn't done before? Would be great to know the solution for future folks exploring the forums.

Was it just a matter of passing an explicit uid+gid?

 

[geist325]

I'm still pretty new, and not intimately familiar with Proxmox.
It seems to be a matter of requiring the specific options given in a CFS/Samba share, as I've tried just about everything else I can think of I've typically found NFS to have the best performance, but with my knowledge could not make it work with that protocol.
I have one container that's being a bit problematic, but that one's not even important.
My 15 Docker containers are up and running, in an LXC (Debian 12), with their config/storage directory located on a CFS share/mount.