Shared folders between host and container

[Mrt12]

Hi,
I have a container in which I would like to run a webserver (for Nextcloud).
The data storage of this web server shall be on a NAS, which is mounted via Samba.
I first thought that I can mount the Samba share on the host and then "redirect" it to the container via a bind mount, but the mountpoints I can configure in Proxmox don't allow me to write to that share. I can see it in my container, but it belongs to "nobody" and therefore cannot be written to.
So is there any preferred way of exposing a Samba share to a container?

I would definitely prefer a container over a VM because it is very efficient.

 

[oguz]

hi,

I first thought that I can mount the Samba share on the host and then "redirect" it to the container via a bind mount, but the mountpoints I can configure in Proxmox don't allow me to write to that share. I can see it in my container, but it belongs to "nobody" and therefore cannot be written to.

bind mounts are the right way to accomplish this. i think you missed a step at the end during your setup, where you have to change the permissions/owners on the host directory according to the mapped uid/gid from lxc container. (unprivileged containers map uid/gid to something else on the host. more info on that here[0])

just set the correct uid/gid with chown or allow r/w access with chmod

[0]: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[Mrt12]

hi,



bind mounts are the right way to accomplish this. i think you missed a step at the end during your setup, where you have to change the permissions/owners on the host directory according to the mapped uid/gid from lxc container. (unprivileged containers map uid/gid to something else on the host. more info on that here[0])

just set the correct uid/gid with chown or allow r/w access with chmod

[0]: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

Hi oguz,
yes I saw that. Indeed the uid/gid needs to be set correctly. However I am unsure how I shall do that when I mount the Samba/CIFS share?
so far I tested it as follows: (on the PVE host)

mount -t cifs -o username=testuser,password=test123,gid=100000,uid=100000 //server/share /srv/share

where //server/share is the Samba share on my NAS and /srv/share is some folder on the host. Then, I manually edited the container config file as follows

lxc.mount.entry: /srv/share srv none rw,bind 0.0

which mounts the /srv/share from the host into /srv inside the container.
And that seems to work. So is this the preferred and official way to do it? or is there even a simpler method?

Background:
I saw that it is also possible having uid and gid mapping tables, but I found this solution very unhand; I usually really don't want to care about those IDs. I am also afraid that it is not so maintenance-free, because if new users are created inside the container or so, then this needs to be taken into account somehow because there will be additional user and/or group IDs.

By the way:
is there a plan to add this option to the Proxmox GUI? that would be really awesome.

 

[Mrt12]

One additional thing: I just realised that every file created within this mount point has the 'x' bit set. Why is this and how can I avoid it?

(inside the container)

# ls -al
total 16
drwxr-xr-x  2 root root  0 Feb 18 16:36 .
drwxr-xr-x 25 root root 25 Feb 18 16:41 ..
-rwxr-xr-x  1 root root  0 Feb 18 14:19 hello
-rwxr-xr-x  1 root root  0 Feb 18 16:36 huhu
-rwxr-xr-x  1 root root  5 Feb 18 14:19 test.txt

 

[oguz]

hi again,

So is this the preferred and official way to do it? or is there even a simpler method?

yes, this is the recommended way. i'm not aware of a simpler method but maybe someone else knows.

saw that it is also possible having uid and gid mapping tables, but I found this solution very unhand; I usually really don't want to care about those IDs. I am also afraid that it is not so maintenance-free, because if new users are created inside the container or so, then this needs to be taken into account somehow because there will be additional user and/or group IDs.

you don't need to have custom mappings, the default mapping made in unprivileged containers is to start from 100000 for 0 and increment according to the uid in the CT

you just need to allow that uid/gid to r/w on that directory.
first option is to change the owner of the files accordingly. (chown)
seconds option is to relax the permissions on that directory so anyone can locally access and edit the files. (chmod)

However I am unsure how I shall do that when I mount the Samba/CIFS share?

your syntax looks okay to me. also according to the output you send in the previous post, it seems like you're seeing root as the owner of the files in the container, so it seems to be working.

: I just realised that every file created within this mount point has the 'x' bit set. Why is this and how can I avoid it?

'x' bit is for execution permissions. you can change the permissions on the files recursively to avoid setting the 'x' bit for the last part. (something like chmod -R 750 could work)

 

[Mrt12]

Hi oguz,
thanks a lot!

'x' bit is for execution permissions. you can change the permissions on the files recursively to avoid setting the 'x' bit for the last part. (something like chmod -R 750 could work)

Hmm I will test that and let you know if it works. Yesterday it seemed a bit odd to me that each file got its x bit set.

 

[omgs]

hi,



bind mounts are the right way to accomplish this. i think you missed a step at the end during your setup, where you have to change the permissions/owners on the host directory according to the mapped uid/gid from lxc container. (unprivileged containers map uid/gid to something else on the host. more info on that here[0])

just set the correct uid/gid with chown or allow r/w access with chmod

[0]: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

Hi. I read this and there's something that I'm unable to understand. In an unprivileged container, I have a bind mount. From the host, I don't mind the uid/gid (it's a local btrfs filesystem), but I just want the root user in the container to be able to manage the shared tree for storing internal info. The bind shows nobody/nogroup and I'm unable to write anything in that path. What should I do to solve that? Ideally, the container root user should be able to chown/chmod to whatever it needs, but I'm not sure if this is possible (without extra magic).

Thanks in advance.

 

[oguz]

I have a bind mount. From the host, I don't mind the uid/gid (it's a local btrfs filesystem), but I just want the root user in the container to be able to manage the shared tree for storing internal info. The bind shows nobody/nogroup and I'm unable to write anything in that path. What should I do to solve that? Ideally, the container root user should be able to chown/chmod to whatever it needs, but I'm not sure if this is possible (without extra magic).

on the host level change the uid/gid and owner of the bindmount folders according to the in-container-root user's uid/gid on the host.

you should then be able to have write access anywhere in the folder as 'root' in the container as well.. (if there are also users in the container using the share, then you can add these to a group and give access to the group)

 

[omgs]

on the host level change the uid/gid and owner of the bindmount folders according to the in-container-root user's uid/gid on the host.

you should then be able to have write access anywhere in the folder as 'root' in the container as well.. (if there are also users in the container using the share, then you can add these to a group and give access to the group)

Thanks for your answer. Here is what I've tried:

I just have reserved a gid in the host (2120) for the CTID 120 and I've just chgrped the folder. Then, I've set in the config file

lxc.idmap: u 0 100000 65535
lxc.idmap: g 0 100000 2120
lxc.idmap: g 2120 2120 1
lxc.idmap: g 2121 102121 63415

and set in /etc/subgid

root:2120:1

and /etc/subuid

root:100000:655535

But the container won't start:

# lxc-start -F -n 120
lxc-start: 120: conf.c: lxc_map_ids: 2779 newgidmap failed to write mapping "newgidmap: gid range [2120-2121) -> [2120-2121) not allowed": newgidmap 28147 0 100000 2120 2120 2120 1 2121 102121 63415
lxc-start: 120: start.c: lxc_spawn: 1690 Failed to set up id mapping.
lxc-start: 120: start.c: __lxc_start: 1957 Failed to spawn container "120"

What am I doing wrong?

 

[oguz]

i think your mapping syntax might be wrong. please check the following example from the wiki article posted before in this thread:

# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host)
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530

this should give you an idea.

 

[omgs]

i think your mapping syntax might be wrong. please check the following example from the wiki article posted before in this thread:

# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host)
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530
[/icode]

this should give you an idea.

Yes, I realized that difference about replacing "=" with ":" , I guess it's proxmox software itself which does the changes automatically. I've tried rewriting with "=" but I still get the same result.

Also, I'm not sure if I could do nothing about uid remapping, since I don't find it necessary for my needs, at least according to this strategy for just one gid.

 

[oguz]

Yes, I realized that difference about replacing "=" with ":" , I guess it's proxmox software itself which does the changes automatically. I've tried rewriting with "=" but I still get the same result.

i meant the order of the ids and the mapping syntax. "=" vs ":" shouldn't be a problem

Also, I'm not sure if I could do nothing about uid remapping, since I don't find it necessary for my needs, at least according to this strategy for just one gid.

you can try something like this:

# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1

make sure to edit /etc/subuid and /etc/subgid as well

 

[omgs]

i meant the order of the ids and the mapping syntax. "=" vs ":" shouldn't be a problem


you can try something like this:

# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1

make sure to edit /etc/subuid and /etc/subgid as well

Surely there's some silly concept I'm misunderstanding, but I'm unable to find out what I'm doing wrong. In my specific case, I just need to preserve host gid 2120 to the same gid in the container . Do I need to remap *all* uids and gids? What is mandatory for /etc/subuid and /etc/subgid, and what's wrong in my case? Why won't the container start?

 

[oguz]

. Do I need to remap *all* uids and gids?

no it's just an example

what's wrong in my case? Why won't the container start?

try doing it over, use my example from the last post (with single id 1005). with 'u' and 'g' entries

/etc/subuid and /etc/subgid should contain the entry for 1005

 

[omgs]

Ok. I think that it's the same using 1005 than 2120, so I've done this:

# grep lxc 120.conf
lxc.idmap: u 2120 2120 1
lxc.idmap: g 2120 2120 1

# cat subuid
root:2120:1
# cat subgid
root:2120:1

But now I get this error:

# lxc-start -F -n 120
lxc-start: 120: conf.c: chown_mapped_root: 2902 No uid mapping for container root
lxc-start: 120: terminal.c: lxc_terminal_map_ids: 1172 Failed to chown terminal "/dev/pts/19"
lxc-start: 120: start.c: lxc_init: 826 Failed to chown console
lxc-start: 120: start.c: __lxc_start: 1903 Failed to initialize container "120"
lxc-start: 120: tools/lxc_start.c: main: 308 The container failed to start

What's wrong here?

 

[omgs]

No luck with that method.

I've tried something different. I've just assigned at the host the user 100000 and the group 102120 to the shared dir and set permissions accordingly. It's been necessary to add both full uid and gid mappings in the config file, like this:

lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 65536

In the container, I've created a group (mountgid) with gid 2120 and assigned the app unprivileged user to the group. In the /etc/subgid, this line:

mountgid:2120:1

This method works for me. I hope it helps someone else.

 

[oguz]

glad it worked out! you can mark the thread as [SOLVED] so others with the same problem can expect a solution when they click