[Tutorial] Mounting NFS share to an unprivileged LXC

[Blast12345]

This post was inspired by this guide created by @TheHellSite.

My goal is to set up a torrent LXC such that it would torrent an Ubuntu iso to an Unraid share.

It seems that there are many ways to approach this, but I struggled to find a guide that fit my needs. Having finally found a solution, I felt it appropriate to post my process in hopes that it helps others.

The Setup​

Note: IP addresses, folder names, etc are just examples. Substitute as needed.

• Proxmox is installed on Computer 1
  • Has the static IP 192.168.1.10
  • Contains a torrent LXC with an ID of 101
• Unraid is installed on Computer 2
  • Has the static IP 192.168.1.20
  • Contains a share called downloads
  • The share allows NFS and has granted read/write permission to 192.168.1.10 (Computer 1)

Option 1​

The goal can be accomplished by adding the NFS share to your Datacenter in Proxmox. You can then mount the new storage device to the torrent LXC, however the LXC must be privileged and have the NFS feature turned on.

While this does work, Proxmox will automatically create folders based on the Content types you enabled when adding the storage device. This may be reasonable in certain situations, but none of the content types fit my use-case. I attempted to delete the directories, but they would regenerate.

Additionally, the use of a privileged LXC seems to be undesirable.

With those issues in mind, I chose to explore other options.

Option 2​

I followed the instructions posted by @TheHellSite in the above thread. I had no problems with the setup process, but I unfortunately experienced poor torrenting speeds.

I'm not intimately familiar with the implementation details of SMB/CIFS or torrents, but my rough understanding is that:

• SMB is not very performant when dealing with many small files
• Torrenting downloads many small chunks of the desired content in parallel

This could explain the poor performance, but that is just a guess. In any case, this option does not suit my needs.

Option 3 (my solution)​

Having learned a lot from Option 2, I decided to attempt to mount an NFS share without the Proxmox GUI.

1. Access your nodes shell
   1. Proxmox > Your Node > Shell
2. Create a mounting point for the share
   1. mkdir /mnt/computer2/downloads
3. Edit fstab so that the share mounts automatically on reboot
   1. Open: nano /etc/fstab
   2. Add: 192.168.1.20:/mnt/user/downloads/ /mnt/computer2/downloads nfs defaults 0 0
   3. Save
4. Mount the share
   1. Reload systemd: systemctl daemon-reload
   2. Mount shares: mount -a
5. Add the pointing point to your LXC
   1. Open: nano /etc/pve/lxc/101.conf
   2. Add: mp0: /mnt/computer2/downloads/,mp=/downloads
   3. Save
6. Start the LXC
7. Update the LXC user's permissions
   1. groupadd -g 10000 lxc_shares
      1. Note: I think you can use whatever group name you want as long as you use again in the next step.
   2. usermod -aG lxc_shares root
      1. Note: Your username is probably root, but substitute for whatever user you want to configure permissions for.
   3. Reboot the LXC
   4. Verify permissions
      1. Create a file in your mountpoint: touch foobar
      2. Attempt to delete foobar from another machine.
      3. If successful, you should be done.

This seems to mount the NFS share without creating extra files and the download speeds are great. The Ubuntu iso torrent peaked at 85 MB/s. I am satisfied.

Closing​

This goal provided me with a good learning opportunity and I'm appreciative of the vast amounts of community discussion on here, Reddit, blog posts, etc. I hope this post helps others as much as the other discussions helped me.

Also - I'm very new to Proxmox and, while I have some experience with Linux CLI, I'd hardly say that I'm experienced. If you find any issues in my solution, please let me know and I will try to make edits when appropriate.

Edits​

1. Added permission configuration to Option 3.
   1. Context: I deleted by torrent LXC after concluding a test, but forgot to delete the Ubuntu ISO first. I attempted to delete the file from my personal computer, but was unable to because of permission issues. I ended up needing to format the NAS (though fortunately nothing else was on it).
2. Removed uid=100000,gid=110000 from the NFS configuration in Step 3.
   1. Context: uid and gid are not valid settings for NFS. So far as I can tell, this isn't really an issue. I speculate that it may be a pain if you want to manage the files directly from your node's shell, but I think you just as easily create a user with the appropriate UID and GID.

 

[Souparanoiak]

Good morning,

I have a somewhat similar setup so I would like to apply your method.
How did you grant read/write permission on Unraid? are you using a public, private or secure share? what rules did you add to Unraid?

Thank you in advance for your help.

 

[Blast12345]

Good question! Here is how I set it up (Unriad 6.12.6):

1. Click on the Shares tab
2. Select your share (e.g. downloads)
3. Scroll to the NFS Security Settings
4. Set Export to Yes
5. Set Security to Private
6. Add a rule that allows your node read/write access
   1. node_ip(sec=sys,rw)
   2. Ex: 192.168.1.254(sec=sys,rw)

-------------
P.s. I updated Option 3 Step 3 to address an incorrect configuration. I recommend taking look.

 

[zer00]

Thanks this is well written and clear to follow - though I am facing issue at step 5/7.

I have successfully mounted my (Synology NAS) NFS share in the node itself, and have verified that I have read&write permissions to the NFS from there, so that's great.

I add the mounting point re step5 to the LXC and it shows up in the GUI.

But... beyond this I am facing issues.

If I try to ls or cd that folder from the container I get Permission denied:

root@TestCont:/# ls /mnt/nfs
ls: cannot open directory '/mnt/nfs': Permission denied
root@TestCont:/# cd /mnt/nfs
bash: cd: /mnt/nfs: Permission denied

 

[zer00]

OK it's permissions on the NAS - fixed

 

[eminentspoon]

OK it's permissions on the NAS - fixed

Out of interest, what permissions was it on the NAS that caused this for you? I'm having the same behaviour but as far as I can tell, the NFS share should have appropriate permissions to the IP of the container as well as the proxmox host.

 

[evanb]

Very cool but only problem is you can't take snapshots of the lxcs because of the mounts unfortunately.

 

[Docop2]

why don't just set the vm to full stop, and then do the backup ?

 

[smallsomething]

Option 2​

I followed the instructions posted by @TheHellSite in the above thread. I had no problems with the setup process, but I unfortunately experienced poor torrenting speeds.

I'm curious what type of speeds you were seeing? I chose SMB as my protocol of choice for a similar use-case and haven't noticed anything in particular for slowdowns, but my WAN is "only" 150Mbps so I'm probably not coming close to saturating what SMB is capable of

 

[krasjer]

Has anyone tried and gotten it to work with a NFS share using TrueNAS?

I sure was not able to.

 

[dondizzurp]

OK it's permissions on the NAS - fixed

Any info on this?

I'm getting permission denied on the LXC and everything seems to be fine on the host and the Synology NAS.

Looks like the mount wasn't assigned any user or group.

 

[dondizzurp]

Out of interest, what permissions was it on the NAS that caused this for you? I'm having the same behaviour but as far as I can tell, the NFS share should have appropriate permissions to the IP of the container as well as the proxmox host.

Found it. The problem was the squash option in the NFS permissions for the Synology shared folder. I had to change it to "map all users to admin"

 

[MisteurJ]

Thank you very much !

One question about the LXC permission update :
Do I need to write down the groupadd command on the lxc shell, or the node shell ??
I first wrote the command on the node shell, then I deleted it (with "groupdel"), and without re-add it on the lxc shell, the share does work in the container !! I don't understand...

 

[9acca9]

Sorry my dumb question but... i suppose that the lxc is a unprivileged.
Ok,
Does this type of configuration have any type of implication, risk?
Thanks

 

[MeuhSly]

Is ti possible to gain more detail about step 7 ? Details like where do you run those command, in which directory, why lxc_shares ?

What permissions have set in your host on your nfs share to get this to work ?

I personally skip the part of connecting an NFS share because I store my data directly on a folder in a hardware raid disk (don't know if it's like this it use to be call in English) and that one of the folder inside this disk I want to access in my LXC.

 

[smuggler_dinginess005]

Sorry my dumb question but... i suppose that the lxc is a unprivileged.
Ok,
Does this type of configuration have any type of implication, risk?
Thanks

That would be my question aswell, from a security standpoint you should, as far as i understand, not use privileged container:

The LXC teamconsiders this kind of container as unsafe, and they will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. That’s why privileged containers should only be used in trusted environments. (Proxmox Wiki)

but using a unprivileged container with a network mount on the host is less unsafe?

Privileged	Unprivileged
Unsafe by design	Safe by design
Network mount in container	Network mount on the host
Can be migrated to other host	Can not be migrated to other host
No permission Issues between LXC and host	Possible permission issues between LXC and host
Snapshots possible while running	Snapshots impossible while running

I think the more flexible option would be a privileged container, but you have to be ready to take the risks.

 

[Eideen]

7. Update the LXC user's permissions

1. groupadd -g 100000 lxc_shares
   1. Note: I think you can use whatever group name you want as long as you use again in the next step.
2. usermod -aG lxc_shares root
   1. Note: Your username is probably root, but substitute for whatever user you want to configure permissions for.
3. Reboot the LXC
4. Verify permissions
   1. Create a file in your mountpoint: touch foobar
   2. Attempt to delete foobar from another machine.
   3. If successful, you should be done.

This part apply to the NFS server and the PVE host.

And the permission need to be 100000:100000 the user/group ID of the LXC_root user at minimum.

Setting mod to 777, you can get around this to get started.

## To illustrate this:

### What the LXC sees

#ls -an test
-rw-r--r-- 1 0 0 0 May 24 15:41 test

### What the NFS server and the PVE host sees

#ls -an test
-rw-r--r-- 1 100000 100000 0 May 24 17:41 test

Great work on makeing the tutorial

 

[arisermpo]

Hello. I need a hand here.
I'm trying to do this with Transmission LXC.
Did everything in the first post and can see, create and delete files from lxc console.

However, when I point a download to the share location I get "Permission denied" in Transmission GUI.

SOLVED: Had to add debian-transmission user to group

 

[YPA]

Hi

I'm a noob to all of this.

I followed your Option 3 and everything went smoothly. However I have an issue where when I try to play a video file I get the attached error. I tried playing MP4 and MKV files.

Any help would be much appreciated.

 

[ellisd]

Hi

I'm a noob to all of this.

I followed your Option 3 and everything went smoothly. However I have an issue where when I try to play a video file I get the attached error. I tried playing MP4 and MKV files.

Any help would be much appreciated.

This won't be related to this and probably related to transcoding or other issues. Post your jellyfin and transcode logs