Trouble with LXC mount point permissions

[xmready]

I created an unprivileged container with the number 101. I mounted a single disk ZFS pool from the host by adding an mp0: line to the /etc/pve/lxc/101.conf file. I noticed the container does not have write permissions to this mount point. After reading the Unprivileged LXC containers wiki page, it seems I need to add UID mapping in the LXC config file. I created a user with UID 1000 on both the host and CT, added a mapping to the config file, updated the subuid & subgid files, and changed the owner of the mountpoint on the host to be UID 1000. I assumed that this would give write permission to UID 1000 in the CT. Now the CT won't even start up.

Contents of /etc/pve/lxc/101.conf

arch: amd64
cores: 6
features: nesting=1
hostname: PlexServer
memory: 4096
mp0: /storage/plex,mp=/mnt/plex
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=CA:FB:D2:FD:F0:C6,ip=192.168.1.80/24,type=veth
ostype: ubuntu
rootfs: local-lvm:vm-101-disk-0,size=20G
swap: 4096
unprivileged: 1
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1

Contents of /etc/subuid

root:100000:65536
user1:165536:65536
root:1000:1

Contents of /etc/subgid

root:100000:65536
user1:165536:65536
root:1000:1

Command used to change host directory ownership

chown -R 1000:1000 /storage/plex

Output from ProxMox VE log

cgfsng_chown: 1353 No such file or directory - Error requesting cgroup chown in new user namespace
__lxc_start: 2068 Failed to spawn container "101"
TASK ERROR: startup for container '101' failed

 

[xmready]

Hello? Not a single reply?

 

[dcsapak]

Hello? Not a single reply?

please do not bump your posts without any new information....
instead you could post e.g. debug logs from the failing start (described in this chapter of the docs: https://pve.proxmox.com/wiki/Linux_...ers_with_tt_span_class_monospaced_pct_span_tt )

also please show the permissions from the host and guest side (e.g. with ls -l )

anyway it seems you did not map the rest of the range to the >100000 range

 

[xmready]

please do not bump your posts without any new information....
instead you could post e.g. debug logs from the failing start (described in this chapter of the docs: https://pve.proxmox.com/wiki/Linux_...ers_with_tt_span_class_monospaced_pct_span_tt )

also please show the permissions from the host and guest side (e.g. with ls -l )

anyway it seems you did not map the rest of the range to the >100000 range

Here are are the permissions for the CT

root@PlexServer:~# ls -lhn /mnt/
total 512
drwxr-xr-x 4 65534 65534 4 Dec 15 06:39 plex

Here are the permissions for the host

root@proxmox1:~# ls -lhn /storage/
total 512
drwxr-xr-x 4 1000 1000 4 Dec 14 22:39 plex

I thought the documentation said that the >100000 range of ids was already mapped starting with id 0 when you create a new unprivileged CT. If i'm misunderstanding, can you provide clarity on why I can't just map the id that I need to have permission? Or at least point me to the docs that provide such clarity?

 

[valorad]

I find that you need to configure all the ID mappings in /etc/pve/lxc/101.conf, like the way they do in the documentation, not just the 1000 idmap.

Here's my working setup.

Host: /etc/pve/lxc/112.conf

arch: amd64
cores: 1
features: nesting=1
hostname: alpine-3-15
memory: 512
mp0: /workspace/downloadCenter,mp=/workspace/downloadCenter
net0: name=eth0,bridge=vmbr1,firewall=1,gw=10.10.10.1,hwaddr=F2:B0:61:14:3E:4F,ip=10.10.10.10/24,type=veth
ostype: alpine
rootfs: local-btrfs:112/vm-112-disk-0.raw,size=8G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101001 64530
lxc.idmap: g 1001 101001 64530

Host: /etc/subuid

root:100000:65536
valorad:165536:65536
root:1000:1

Host: /etc/subgid

root:100000:65536
valorad:165536:65536
root:1000:1

Then in the container, I get:

alpine-3-15:/workspace/downloadCenter# ls -lhn
total 0     
-rw-r--r--    1 1000     1000           0 Jan  1 19:53 dlctr.exe