[SOLVED] Expose CIFS Share to LXC Container

begleysm

Member
Jun 1, 2018
15
4
8
48
[SOLVED] See UPDATE #2 at the bottom



I'm having a bear of a time exposing a CIFS Network Share to an LXC Container.

I tried mounting it directly from within the LXC Container and AppArmor stopped this from happening.

I tried mounting it during the LXC startup using lxc.mount in the config pointing to an fstab that knows how to connect to the CIFS share.

I tried adding a "storage" element from the Proxmox web GUI but there is no option to create a "generic" storage. Everything is "OS Images" or "VZDumps" etc. So Proxmox creates a folder structure in there that I don't want.

I tried mounting the CIFS share on the host and then binding the directory to a directory on the Container.

The most recent thing I'm trying is to mount the CIFS share on the host and then to modify the LXC config to add a mount entry point. I'm attempting to follow this guide but so far, no joy. I just am noticing that my config file (/var/lib/lxc/10x/config) is getting overwritten and reset to defaults whenver I restart the container. https://gist.github.com/julianlam/07abef272136ea14a627

What is the right way to get RW access to a network location in an LXC Container?



UPDATE #1
I got the basic functionality to work by following the above guide by I had to add "lxc-mount" to the end of my config because it didn't previously exist. However, my config file is still getting reset when I restart my container.

UPDATE #2
I got it working. The correct config file to edit is "/etc/pve/lxc/10x.conf" NOT "/var/lib/lxc/10x/config". Also there is higher level syntax that is preferred over the base lxc syntax described in the github link above. This info can be found at (https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points). I added "mp0: /path/to/host/share,mp=/path/to/container/share" to the bottom of "/etc/pve/lxc/10x.conf" and it worked! Thanks to dietmar for the point in the right direction.

UPDATE #3
It looks like you need to have a "Privileged" container to be able to write to your network share. If the access you need is read-only then you can keep the container Unprivileged. You cannot change the Privilege of a container directly from the GUI. You can do this when restoring backups however. It should be fairly straight forward to convert an Unprivileged container into a Privileged container. However the reverse is not as simple. Privileged containers contain files that Unprivileged containers are not allowed to have. They will need to be deleted before restoring to an Unprivileged state. Check out this thread for more info: https://forum.proxmox.com/threads/convert-privileged-to-unprivileged-container.31066/



I've written a step by step guide on how to get Network Share access for a Proxmox Container. You can check it out here
https://steamforge.net/wiki/index.p...work_Share_in_a_Linux_Container_under_Proxmox
 
Last edited:
I got it working. The correct config file to edit is "/etc/pve/lxc/10x.conf" NOT "/var/lib/lxc/10x/config". Also there is higher level syntax that is preferred over the base lxc syntax described in the github link above. This info can be found at (https://pve.proxmox.com/wiki/Linux_Container#_bind_mount_points). I added "mp0: /path/to/host/share,mp=/path/to/container/share" to the bottom of "/etc/pve/lxc/10x.conf" and it worked! Thanks to dietmar for the point in the right direction.

THANK YOU for posting this. I have been having a similar "bear" of a time trying to mount a TKL File Server contatiner share in a TKL Syncthing container. I have read that Proxmox bind mount page about a dozen times, and it never dawned on me that I needed to mount the share to the PVE host prior to mounting it in my TKL Syncthing container. After reading "mp0: /path/to/host/share,mp-/path/to/container/share" the lights came on! Thanks for sharing!
 
  • Like
Reactions: begleysm
Hi guys, I hope your well.

This post helped me mopunt my container and it works well for plex that has read access. However my Unifi Video container i want to write to does not work as while i have the bind mount in place i cant write to the SMB share in the containter (access denied) but can do so from in the proxmox container.

Hasve either of you come across this at all?

Regards
Paul
 
I haven't had a write problem. I'm wondering, is your container an "Unprivileged Container"? You can check by looking at the "Options" for your container. If it is set to "Yes" try changing it to "No" and see if that helps.

Another thought: In your container, can you write as root or with sudo?
 
Last edited:
Hi Begleysm,

This does work - thnak you. I amended the config file to 0 and now i can create files in the freenas share.

However reading your link on proxmox support this was the option that was apparently not secure which is why i created the mount instead. I guess if i give the container priv access then i just mount dirdctly from the container and not with the bind mount do you think?

I actually spun up a VM, and needed top use sudo so i can write but without. I cant even using sudo in the container if its underprivledged.

Regards
Paul
 
I am *far* from a Proxmox expert. But I *think* that...

  • No "secure" (& Unprivileged) container will be able to write to a network share and that not being able to write to a network share is part of what makes it "secure".
  • I don't think that a Privileged container is really "insecure" or that being able to write to a network share is "insecure"... it's just that being able to write to another computer is a way things could get mucked up and if you don't need to do that, then you should run the container as Unprivileged to increase security. If you need to be able to write to network shares then I believe this is the right way to do it
  • I don't think you can mount directly from the container even if it is Privileged so I think you'll have to use a Privileged container AND mount the share on the host AND setup a bind from host folder to container folder.
Thanks for testing this. I'll amend the original post and my HOWTO to indicate that you'll need a Privileged container to write to the network share. I think I had turned on "Privileged" earlier on my experimentation and not realized it was required for writing since it was already on.
 
I don't think that a Privileged container is really "insecure" or that being able to write to a network share is "insecure"... it's just that being able to write to another computer is a way things could get mucked up and if you don't need to do that, then you should run the container as Unprivileged to increase security. If you need to be able to write to network shares then I believe this is the right way to do it


Pls, be open mind ;)

https://linuxcontainers.org/lxc/security/
"LXC upstream's position is that those containers aren't and cannot be root-safe.
They are still valuable in an environment where you are running trusted workloads or where no untrusted task is running as root in the container.
We are aware of a number of exploits which will let you escape such containers and get full root privileges on the host. Some of those exploits can be trivially blocked and so we do update our different policies once made aware of them. Some others aren't blockable as they would require blocking so many core features that the average container would become completely unusable."
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!