Hi,
I wanted to install UrBackup inside a unprivileged LXC and this UrBackup LXC should store the backups on a NFS share on my TrueNAS server.
On my TrueNAS server I created a dataset mounted at /mnt/HDDpool/UrBackup", created a user/group "urbackup" (UID/GID 1130) and set this user/group with 770 rights as the owner of that dataset. Then I created a NFS share for that dataset and set the "Maproot User" and "Maproot Group" to "urbackup" (so I guess users accessing that share only got the rights of my urbackup user, or did I misuderstand that?).
Because unpriviled LXCs can't mount shares I mounted that NFS share on my PVE host using fstab:
I used "nfsvers=3" because somehow using NFS4 I don't get NFS working.
I also created user/group "urbackup" (UID/GID 1130) on my PVE host and created the folder "/media/UrBackup/" owned by root. If I run "mount -a" the NFS share gets mounted on the PVE host:
Inside my LXC I then created a user/group "urbackup" (UID/GID 1130) and created a folder "/media/UrBackup" owned by root.
On the PVE host I then added this to the LXCs config file...
...like I did it many times before for other unprivileged LXCs that needed access to SMB shares. So UID 1130 on the host should be mapped to UID 1130 inside the LXC so that this fits the UID 1130 of my NFS share.
But now I'm not sure if I done it right with the subuid and subgid because I don't completely understand that part why it is needed at all.
I've added
My subuid now looks like this:
"root:1100:4" is there because other unprivileged LXCs are using UID 1100 to 1103 to access SMB shares. Is that ok or is it maybe not allowed to have multiple "root" or multiple lines?
My subgid looks like this:
And why is there also a "/etc/subuid-" and "/etc/subgid-" file? Do I also need to add the "root:1130:1" line there? These look like my "/etc/subuid" and "/etc/subuid" just without the new "root:1130:1" line.
Inside my LXC I can see the bind-mounted NFS share but my root user isn't allowed to access it:
Same problem with the home folder of my urbackup user which is owned by nobody:nogroup instead of urbackup:urbackup like the NFS share:
If I switch to the urbackup user using
...which makes sense if only the owner got write access and its owned by nobody. But I can access the NFS share and write to it:
So there are 3 questions...
1.) Is someone using TrueNAS and can give me a hint how to setup NFS shares so that NFS4 can be used?
2.) How can I change the owner of "/home/urbackup" if the LXCs root isn't allowed to do that?
3.) Can I do something that the LXCs root user is allowed to do everything inside that LXC? Its really annoying if the root user isn't allowed to access folders owned by urbackup. I wanted to install the UrBackup server under the urbackup user so that would cause problems if system processes run by root aren't allowed to for example shutdown the UrBackup server or unmount stuff that was started/mounted by my urbackup user?
I wanted to install UrBackup inside a unprivileged LXC and this UrBackup LXC should store the backups on a NFS share on my TrueNAS server.
On my TrueNAS server I created a dataset mounted at /mnt/HDDpool/UrBackup", created a user/group "urbackup" (UID/GID 1130) and set this user/group with 770 rights as the owner of that dataset. Then I created a NFS share for that dataset and set the "Maproot User" and "Maproot Group" to "urbackup" (so I guess users accessing that share only got the rights of my urbackup user, or did I misuderstand that?).
Because unpriviled LXCs can't mount shares I mounted that NFS share on my PVE host using fstab:
Code:
192.168.49.4:/mnt/HDDpool/UrBackup /media/UrBackup/ nfs defaults,nfsvers=3 0 0I also created user/group "urbackup" (UID/GID 1130) on my PVE host and created the folder "/media/UrBackup/" owned by root. If I run "mount -a" the NFS share gets mounted on the PVE host:
drwxrwx--- 2 urbackup urbackup 2 Oct 27 00:05 UrBackupInside my LXC I then created a user/group "urbackup" (UID/GID 1130) and created a folder "/media/UrBackup" owned by root.
On the PVE host I then added this to the LXCs config file...
Code:
lxc.idmap: u 0 100000 1130
lxc.idmap: g 0 100000 1130
lxc.idmap: u 1130 1130 1
lxc.idmap: g 1130 1130 1
lxc.idmap: u 1131 101131 64405
lxc.idmap: g 1131 101131 64405
mp0: /media/UrBackup,mp=/media/UrBackupBut now I'm not sure if I done it right with the subuid and subgid because I don't completely understand that part why it is needed at all.
I've added
root:1130:1 to my subuid and subgid which should mean that root is allowed to access stuff owned by UID 1130 inside the LXC?My subuid now looks like this:
Code:
root:1100:4
root:1130:1
root:100000:65536
snapshot:165536:65536
podsync:231072:65536
ps3games:296608:65536
ebooks:362144:65536
ydl:427680:65536
urbackup:493216:65536My subgid looks like this:
Code:
root:1100:4
root:1130:1
root:100000:65536
snapshot:165536:65536
podsync:231072:65536
ps3games:296608:65536
ebooks:362144:65536
ydl:427680:65536
urbackup:493216:65536And why is there also a "/etc/subuid-" and "/etc/subgid-" file? Do I also need to add the "root:1130:1" line there? These look like my "/etc/subuid" and "/etc/subuid" just without the new "root:1130:1" line.
Inside my LXC I can see the bind-mounted NFS share but my root user isn't allowed to access it:
Code:
root@UrBackup:/media# ls -la
total 28
drwxr-xr-x 3 root root 3 Oct 27 04:04 .
drwxr-xr-x 21 root root 21 Oct 27 06:06 ..
drwxrwx--- 2 urbackup urbackup 2 Oct 27 00:05 UrBackup
root@UrBackup:/media# cd UrBackup/
-bash: cd: UrBackup/: Permission deniedSame problem with the home folder of my urbackup user which is owned by nobody:nogroup instead of urbackup:urbackup like the NFS share:
Code:
root@UrBackup:/home# ls -la
total 41
drwxr-xr-x 3 root root 3 Oct 27 03:43 .
drwxr-xr-x 21 root root 21 Oct 27 06:06 ..
drwxr-xr-x 2 nobody nogroup 5 Oct 27 03:43 urbackup
root@UrBackup:/home# chown -R urbackup:urbackup /home/urbackup
chown: changing ownership of '/home/urbackup/.bashrc': Operation not permitted
chown: changing ownership of '/home/urbackup/.profile': Operation not permitted
chown: changing ownership of '/home/urbackup/.bash_logout': Operation not permitted
chown: changing ownership of '/home/urbackup': Operation not permittedIf I switch to the urbackup user using
root@UrBackup:/home# su - urbackup I can't change rights of its home folder too...
Code:
urbackup@UrBackup:/home$ chown -R urbackup:urbackup /home/urbackup
chown: changing ownership of '/home/urbackup/.bashrc': Operation not permitted
chown: changing ownership of '/home/urbackup/.profile': Operation not permitted
chown: changing ownership of '/home/urbackup/.bash_logout': Operation not permitted
chown: changing ownership of '/home/urbackup': Operation not permitted
Code:
urbackup@UrBackup:/home$ cd /media/UrBackup
urbackup@UrBackup:/media/UrBackup$ ls -la
total 14
drwxrwx--- 2 urbackup urbackup 2 Oct 27 00:05 .
drwxr-xr-x 3 root root 3 Oct 27 04:04 ..
urbackup@UrBackup:/media/UrBackup$ touch test.txt
urbackup@UrBackup:/media/UrBackup$ ls -la
total 15
drwxrwx--- 2 urbackup urbackup 3 Oct 27 2021 .
drwxr-xr-x 3 root root 3 Oct 27 04:04 ..
-rw-r--r-- 1 urbackup urbackup 0 Oct 27 2021 test.txtSo there are 3 questions...
1.) Is someone using TrueNAS and can give me a hint how to setup NFS shares so that NFS4 can be used?
2.) How can I change the owner of "/home/urbackup" if the LXCs root isn't allowed to do that?
3.) Can I do something that the LXCs root user is allowed to do everything inside that LXC? Its really annoying if the root user isn't allowed to access folders owned by urbackup. I wanted to install the UrBackup server under the urbackup user so that would cause problems if system processes run by root aren't allowed to for example shutdown the UrBackup server or unmount stuff that was started/mounted by my urbackup user?
Last edited: