[SOLVED] SMB Share in LXC Container: Permission denied on write

NoGeneric

New Member
Apr 13, 2021
5
0
1
Hi there,

I've got an SMB share from my NAS server for my data. My Jellyfin instance (hosted via docker inside LXC) should have read-/write-access to this SMB share.
The problem is: I always get permission denied issues in my LXC container. The Proxmox host can write inside the share, but not the LXC (and thus not the docker volume).

My relevant lines of the container configuration:
NGINX:
arch: amd64
features: nesting=1
mp0: /mnt/pve/mediashare-config,mp=/mnt/shares/config
ostype: ubuntu
unprivileged: 1

My UID/GID mappings:
Code:
# cat /etc/subuid
root:100000:65536

# cat /etc/subgid
root:100000:65536
I also have a local user with UID 101000 and GID 101000 aswell as a UID and GID of 1000 in the LXC container (which uses Ubuntu 20.04). The share has been mounted using the CIFS option in the database storage tab in the Web interface.
Bash:
# on the Proxmox host system
drwxr-xr-x 5 root root 5 Apr 13 15:55 pve

# Inside the pve-directory (Proxmox host):
drwxr-xr-x 2 root root 0 Apr 13 16:49 mediashare-config

Is there a way to get this permission issue solved without turning the LXC into a privileged container (which would create problems with docker).
 
Last edited:
hi,

# Inside the pve-directory (Proxmox host): drwxr-xr-x 2 root root 0 Apr 13 16:49 mediashare-config
here for the mounted directory you should give UID 101000 permissions if you'd like to access it from the container

can you try:
Code:
chown -R 0:101000 /mnt/pve/mediashare-config
(allow GID 101000 access)

and check ls -aln output for it, both inside and outside the container

edit: fixed command chmod -> chown
 
Last edited:
hi,


here for the mounted directory you should give UID 101000 permissions if you'd like to access it from the container

can you try:
Code:
chmod -R 0:101000 /mnt/pve/mediashare-config
(allow GID 101000 access)

and check ls -aln output for it, both inside and outside the container
Ok. As the command you posted is not quite correct (invalid mode: ‘0:101000’), I tried it with the following two commands:
Bash:
chown -R :101000 /mnt/pve/mediashare-config
chmod -R g+rw /mnt/pve/mediashare-config

Sadly neither of them worked. The output looks the same as before:
Bash:
# Proxmox host (mediashare is the parent dataset of mediashare-config, but no longer shared via SMB, thought it had been for testing purposes a few days ago)
drwxr-xr-x 5 0 0 5 Apr 13 15:55 .
drwxr-xr-x 6 0 0 6 Apr 13 14:39 ..
d????????? ? ? ? ?            ? mediashare
drwxr-xr-x 2 0 0 0 Apr 13 16:49 mediashare-config

# LXC container
drwxr-xr-x 4     0     0 4 Apr 13 13:52 .
drwxr-xr-x 3     0     0 3 Apr 13 13:13 ..
drwxr-xr-x 2 65534 65534 0 Apr 13 14:49 config
 
Last edited:
Ok. As the command you posted is not quite correct (invalid mode: ‘0:101000’), I tried it with the following two commands:
my mistake, thanks for noticing! (chown was meant)

mediashare is the parent dataset of mediashare-config, but no longer shared via SMB
can you see the contents of the files in mediashare-config directly? does setting the owner on SMB end or chowning the files not make any difference?

what is in your /etc/pve/storage.cfg file?
 
my mistake, thanks for noticing! (chown was meant)


can you see the contents of the files in mediashare-config directly? does setting the owner on SMB end or chowning the files not make any difference?

what is in your /etc/pve/storage.cfg file?
Yep, I can see the contents of mediashare-config (via ls). Inside the container, the permissions are the same as for the config directory (the reply from above). On the Proxmox host I can also see them (and create new files there, thus the host has write permissions, just not the LXC).
Chowning the files makes no difference. It always stays root and nobody in the container.

The contents of /etc/pve/storage.cfg (IP adress replaced with xxx):
Code:
dir: local
        path /var/lib/vz
        content vztmpl,iso,backup
        prune-backups keep-last=2
        shared 0

zfspool: local-zfs
        pool rpool/data
        content rootdir,images
        sparse 1

cifs: mediashare-config
        path /mnt/pve/mediashare-config
        server xxx.xxx.xxx.xx
        share config
        content images
        domain WORKGROUP
        nodes pve
        prune-backups keep-all=1
        username jellyfin

Here are the settings from the TrueNAS SMB host (mostly the default ones):
data_pool_0 is the pool, media is a dataset (not shared, but has the same ACL and user, group settings as config) and config is the shared dataset.
smbsharedatasetsettings.png

And here the SMB settings from TrueNAS:
smbsharesettings.png

I also tested whether I have access on my own desktop and there it works fine (mounted via thunar). Thus only the container cannot write in the share. Proxmox itself and my Linux desktop can.
 
It always stays root and nobody in the container.

what does ls -aln say after the owner changes are done?

could you also test temporarily giving the share folder some relaxed permission like 777 and see if it works in this case? (just to make sure, and if this works we can be certain it's uid issue). then if this works you can try writing a file to the share from inside the container and then check the ls -aln output on the host again to see which uid creates the file.

also to remove the old mediashare mount you can use umount command e.g. umount /mnt/pve/mediashare and then the question marks in ls output should disappear (failed mount? or missing +x permission? is the share still there?)
 
what does ls -aln say after the owner changes are done?
The same as before.
Bash:
root@pve:/mnt/pve# ls -aln
total 1
drwxr-xr-x 4 0 0 4 Apr 15 23:11 .
drwxr-xr-x 6 0 0 6 Apr 13 14:39 ..
drwxr-xr-x 2 0 0 0 Apr 13 16:49 mediashare-config
root@pve:/mnt/pve# chown -R :101000 /mnt/pve/mediashare-config/
root@pve:/mnt/pve# ls -aln
total 1
drwxr-xr-x 4 0 0 4 Apr 15 23:11 .
drwxr-xr-x 6 0 0 6 Apr 13 14:39 ..
drwxr-xr-x 2 0 0 0 Apr 13 16:49 mediashare-config
root@pve:/mnt/pve#

could you also test temporarily giving the share folder some relaxed permission like 777 and see if it works in this case? (just to make sure, and if this works we can be certain it's uid issue).
Bash:
root@pve:/mnt/pve# ls -aln
total 1
drwxr-xr-x 4 0 0 4 Apr 15 23:11 .
drwxr-xr-x 6 0 0 6 Apr 13 14:39 ..
drwxr-xr-x 2 0 0 0 Apr 13 16:49 mediashare-config
root@pve:/mnt/pve# chmod -v 777 /mnt/pve/mediashare-config
mode of '/mnt/pve/mediashare-config' changed from 0755 (rwxr-xr-x) to 0777 (rwxrwxrwx)
root@pve:/mnt/pve# ls -aln
total 1
drwxr-xr-x 4 0 0 4 Apr 15 23:11 .
drwxr-xr-x 6 0 0 6 Apr 13 14:39 ..
drwxr-xr-x 2 0 0 0 Apr 13 16:49 mediashare-config
root@pve:/mnt/pve#
I seem not to be able to change the permissions of the share-mount-point in Proxmox. I also tried to remove and add the share again to change the permissions, but it still looked the exact same afterwards. However, I can change the permissions of other directories (non shares, but entirely local directories).
Giving the group (mediaserver) on TrueNAS read-write-execute permissions (via ACLs) is possible, but does not resolve the issue.

also to remove the old mediashare mount you can use umount command e.g. umount /mnt/pve/mediashare and then the question marks in ls output should disappear (failed mount? or missing +x permission? is the share still there?)
Ah, ok. Thx. And yes, that share does no longer exist.


EDIT:
I logged in with my other user (ID 10'1000) on the host and this user could not create new files in the share. Only the root user can.
 
Last edited:
thank you for the outputs.
I logged in with my other user (ID 10'1000) on the host and this user could not create new files in the share. Only the root user can.
then likely this is the cause of the issue. other users should be able to create files on the share for the unprivileged user to be able to write to it. once you fix the issue on the host it should also work on the container.

my guess is your cifs share is being mounted with uid and file_mode options? can you check the output from mount and cat /etc/fstab?
 
my guess is your cifs share is being mounted with uid and file_mode options? can you check the output from mount and cat /etc/fstab?
Yep, it's mounted with those options:
Bash:
root@pve:~# mount
# IP adress replaced with xxx
//xxx.xxx.xxx.xx/config on /mnt/pve/mediashare-config type cifs (rw,relatime,vers=3.0,cache=strict,username=jellyfin,domain=WORKGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=xxx.xxx.xxx.xx,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1)


root@pve:~# cat /etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
While I removed all other drives from the mount-output to keep it short, there is no mention of the share in fstab (probably because it's mounted under Datacenter- > Storage -> Add -> CIFS ?).



EDIT: By removing it from Datacenter- > Storage -> Add -> CIFS and then adding it in the fstab file with the correct UID/GID settings, it works now. :)
Thx for the help.
 
Last edited:
thank you for the outputs.

then likely this is the cause of the issue. other users should be able to create files on the share for the unprivileged user to be able to write to it. once you fix the issue on the host it should also work on the container.

my guess is your cifs share is being mounted with uid and file_mode options? can you check the output from mount and cat /etc/fstab?
I'm having a similar issue where my LXC container is not able to write to the mounted CFIS network drives but Im not as proficient with Proxmox or the CLI yet so trying to understand how to fix this. I have the same result when I prompt the mount command and they are also not in fstab. How can I fix this? Do I need to remove the drives fromt the datacenter as suggested? How do I add them back without losing all my mappings?


//XXX.XXX.XXX.XX/Library-Disk1 on /mnt/pve/NASext1 type cifs (rw,relatime,vers=3.1.1,cache=strict,username=moya,uid=0,noforceuid,gid=0,noforcegid,addr=XXX.XXX.XXX.XX,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1)

Can I edit those existing entries in the datacenter with 777 permissions?
 
Last edited:
Yep, it's mounted with those options:
Bash:
root@pve:~# mount
# IP adress replaced with xxx
//xxx.xxx.xxx.xx/config on /mnt/pve/mediashare-config type cifs (rw,relatime,vers=3.0,cache=strict,username=jellyfin,domain=WORKGROUP,uid=0,noforceuid,gid=0,noforcegid,addr=xxx.xxx.xxx.xx,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1)


root@pve:~# cat /etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc defaults 0 0
While I removed all other drives from the mount-output to keep it short, there is no mention of the share in fstab (probably because it's mounted under Datacenter- > Storage -> Add -> CIFS ?).



EDIT: By removing it from Datacenter- > Storage -> Add -> CIFS and then adding it in the fstab file with the correct UID/GID settings, it works now. :)
Thx for the help.
Would you mind helping out by explaining what you did step by step? Kind of lost and a noob here lol! Many thanks!
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!