Trouble with LXC mount point permissions

[xmready]

I created an unprivileged container with the number 101. I mounted a single disk ZFS pool from the host by adding an mp0: line to the /etc/pve/lxc/101.conf file. I noticed the container does not have write permissions to this mount point. After reading the Unprivileged LXC containers wiki page, it seems I need to add UID mapping in the LXC config file. I created a user with UID 1000 on both the host and CT, added a mapping to the config file, updated the subuid & subgid files, and changed the owner of the mountpoint on the host to be UID 1000. I assumed that this would give write permission to UID 1000 in the CT. Now the CT won't even start up.

Contents of /etc/pve/lxc/101.conf

arch: amd64
cores: 6
features: nesting=1
hostname: PlexServer
memory: 4096
mp0: /storage/plex,mp=/mnt/plex
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=CA:FB:D2:FD:F0:C6,ip=192.168.1.80/24,type=veth
ostype: ubuntu
rootfs: local-lvm:vm-101-disk-0,size=20G
swap: 4096
unprivileged: 1
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1

Contents of /etc/subuid

root:100000:65536
user1:165536:65536
root:1000:1

Contents of /etc/subgid

root:100000:65536
user1:165536:65536
root:1000:1

Command used to change host directory ownership

chown -R 1000:1000 /storage/plex

Output from ProxMox VE log

cgfsng_chown: 1353 No such file or directory - Error requesting cgroup chown in new user namespace
__lxc_start: 2068 Failed to spawn container "101"
TASK ERROR: startup for container '101' failed

 

[xmready]

Hello? Not a single reply?

 

[dcsapak]

Hello? Not a single reply?

please do not bump your posts without any new information....
instead you could post e.g. debug logs from the failing start (described in this chapter of the docs: https://pve.proxmox.com/wiki/Linux_...ers_with_tt_span_class_monospaced_pct_span_tt )

also please show the permissions from the host and guest side (e.g. with ls -l )

anyway it seems you did not map the rest of the range to the >100000 range

 

[xmready]

please do not bump your posts without any new information....
instead you could post e.g. debug logs from the failing start (described in this chapter of the docs: https://pve.proxmox.com/wiki/Linux_...ers_with_tt_span_class_monospaced_pct_span_tt )

also please show the permissions from the host and guest side (e.g. with ls -l )

anyway it seems you did not map the rest of the range to the >100000 range

Here are are the permissions for the CT

root@PlexServer:~# ls -lhn /mnt/
total 512
drwxr-xr-x 4 65534 65534 4 Dec 15 06:39 plex

Here are the permissions for the host

root@proxmox1:~# ls -lhn /storage/
total 512
drwxr-xr-x 4 1000 1000 4 Dec 14 22:39 plex

I thought the documentation said that the >100000 range of ids was already mapped starting with id 0 when you create a new unprivileged CT. If i'm misunderstanding, can you provide clarity on why I can't just map the id that I need to have permission? Or at least point me to the docs that provide such clarity?

 

[valorad]

I find that you need to configure all the ID mappings in /etc/pve/lxc/101.conf, like the way they do in the documentation, not just the 1000 idmap.

Here's my working setup.

Host: /etc/pve/lxc/112.conf

arch: amd64
cores: 1
features: nesting=1
hostname: alpine-3-15
memory: 512
mp0: /workspace/downloadCenter,mp=/workspace/downloadCenter
net0: name=eth0,bridge=vmbr1,firewall=1,gw=10.10.10.1,hwaddr=F2:B0:61:14:3E:4F,ip=10.10.10.10/24,type=veth
ostype: alpine
rootfs: local-btrfs:112/vm-112-disk-0.raw,size=8G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101001 64530
lxc.idmap: g 1001 101001 64530

Host: /etc/subuid

root:100000:65536
valorad:165536:65536
root:1000:1

Host: /etc/subgid

root:100000:65536
valorad:165536:65536
root:1000:1

Then in the container, I get:

alpine-3-15:/workspace/downloadCenter# ls -lhn
total 0     
-rw-r--r--    1 1000     1000           0 Jan  1 19:53 dlctr.exe

 

[miguelrjim]

Thanks a lot valorad! Was running into the same issue and this fixed it

 

[knifeowl]

a bit tangential but since I ended up here trying to debug unpriviliged bind mounts; one critical piece of information I didn't initially realize when setting up proxmox and wanting to share bind mounts from host to containers was that you can't change mount-options for a filesystem that's mounted anywhere in the system including containers.

funny thing about linux utils and namespaces is that after umounting a filesystem on proxmox host it might look like it got unmounted (it disappeared from mount-list, lsof or fuser shows nothing etc) but if it's mounted in a container (eg. grep sda1 /proc/*/mounts) from kernel's perspective the fs is still mounted. so, if you try mounting the "unmounted" filesystem on proxmox host with different options (like uid, fmask etc) it'll look like it's remounting (it makes the relevant syscalls with the new options etc) but in the end the old mount just reappears with the old options looking almost as if the old options were hardcoded in the driver.

the only way around this afaik is that admin either needs to visit each container to umount it, or stop all those containers and then remount with new options, or, reboot the proxmox host every time you want to change mount options on a shared filesystem.