Scripted permissions for container mount point not right

P

promoe

New Member
Oct 19, 2020
7
0
1
53
I've a pct using script for Debian 10.6 that attempts mount a host directory in the container:

Bash: 
pct create 901 local:vztmpl/debian-10-standard_10.5-1_amd64.tar.gz --cores 2 --net0 name=eth0,bridge=vmbr0,ip=dhcp --rootfs local-lvm:8 --features nesting=1 --$

echo Doing dav mountpoint ...
mkdir /root/mydav
chown www-data. /root/mydav
chmod 770 /root/mydav
chgrp -R 100000 /root/mydav
pct set 901 -mp0 /root/mydav,mp=/home/webdav

echo Host mountpoint perms:
ls -al /root/mydav

pct start 901

## IP address lease from DCHP
sleep 7

echo Container mountpoint perms:
pct exec 901 -- ls -al /home/webdav

That executes, but I was expecting to see identical permissions on the host and the guest container, but am not:

Code: 
Doing dav mountpoint ...
Host mountpoint perms:
total 8
drwxrwx---  2 www-data 100000 4096 Oct 20 14:51 .
drwx------ 11 root     root   4096 Oct 20 14:51 ..
Container mountpoint perms:
total 8
drwxrwx--- 2 nobody root 4096 Oct 20 14:51 .
drwxr-xr-x 3 root   root 4096 Oct 20 14:51

Is there a chgrp/chown I have to do secondarily inside the container (pct exec 901 ....)?
 
Dammit, the pct-create line was truncated above. Here's the full line:

pct create 901 local:vztmpl/debian-10-standard_10.5-1_amd64.tar.gz --cores 2 --net0 name=eth0,bridge=vmbr0,ip=dhcp --rootfs local-lvm:8 --features nesting=1 --unprivileged 1

Or is it screenshots of the result from the web-UI that you're after?
 
the permissions are different because it is an unprivileged container. root on the host is not available in the container, user 100000 on the host is root inside the container. the permissions for '..' are identical because '..' does not refer to the same directory in both listings ;)

I assume you want the user 'www-data' inside the container to own the directory /home/webdav ? you need to map that user to the the host-equivalent (www-data's UID on the host + 100000) and chown using the resulting UID.
 
What would I pass to pct-exec to achieve that? chgrp? or something I have even less experience with?
 
you need to change it from the host, instead of chown www-data. /root/mydav you need to pass in whatever 'www-data' inside the container maps to on the host. if the container is Debian, www-data is probably UID 33, plus the 100000 from the default mapping that means the directory needs the owner 100033 on the host.

you can check this by doing something like touch test; chown www-data test inside the container, and then looking at the permissions from the host's point of view.
 
  • Like
Reactions: matrix
Hmmmm, I've been able to determine the UID of a test file in the container (33) and in bash add 100000 to that, then on the host (scripted):

Code: 
$ mkdir /root/mydav
$ chown 100033 /root/mydav
$ stat -c '%g' /root/mydav
0

.. which isn't what I expected. I though that would have shown 100033 not zero.

I can share the whole script (modified from OP), but I think I get the problem across in the three lines I have here.
 
yeah, the group is not affected when you change the owning user, so this is entirely expected. if you want to get user www-data, group root inside the container, you can for example do chown 100033:100000 PATH (assuming again that the default mapping of +100000 is in place, and that www-data is UID 33).
 
Here's a working container for Apache+WebDAV with a test, based on what I've learned, and some copy/paste from other people's code:

Bash: 
pct create 901 local:vztmpl/debian-10-standard_10.5-1_amd64.tar.gz  \
  --cores 2 --net0 name=eth0,bridge=vmbr0,ip=dhcp --rootfs local-lvm:8  \
  --features nesting=1 --unprivileged 1

mkdir /root/mydav

pct set 901 -mp0 /root/mydav,mp=/home/webdav

pct start 901

sleep 7

# Get UID of www-data owned test file in conainer
pct exec 901 -- touch test;
pct exec 901 -- chown www-data test
containeruid=$(pct exec 901 -- stat -c '%u' test)

# Calc UID for www-data on host (the above plus 100000)
hostuid=$(( 100000 + $containeruid ))

pct exec 901 -- apt update --fix-missing && apt-get -y upgrade
pct exec 901 -- apt -y install apache2 apache2-utils
pct exec 901 -- a2enmod dav*

cat <<EOT > .webdav.conf
Alias /webdav /home/webdav
<Location /webdav>
  DAV On
  Options None
  AuthType Basic
  AuthName WebDAV
  AuthUserFile /etc/apache2/.htpasswd
  <RequireAny>
   Require method GET POST OPTIONS
   Require valid-user
  </RequireAny>
</Location>
EOT

ipaddr=$(pct exec 901 -- hostname -I | awk '{$1=$1};1')

pct push 901 .webdav.conf /etc/apache2/sites-available/webdav.conf -perms 0644
pct exec 901 -- a2ensite webdav
pct exec 901 -- htpasswd -b -c /etc/apache2/.htpasswd hello hellopw

chown "$hostuid" /root/mydav

pct exec 901 -- systemctl restart apache2

sleep 2

curl -u hello:hellopw -d "mary had a litle lamb" -X PUT "http://$ipaddr/webdav/testfile"

Actually that'd be less lines of code if it wasn't for mounting the DAV directory in the host's directory structure, which has it's own limits.
 
You must log in or register to reply here.
Top Bottom