[Tutorial] Mounting NFS share to an unprivileged LXC

Hi everyone. I'm quite new to Proxmox and maybe need some advice.
Mounting itself works fine with the tutorial, but no matter what I try, I get some permission errors when handing over the NFS shares to the LXC.
My mount options in OpenMediaVault contain anongid=101000,anonuid=101000, as I have a user inside the LXC with uid=1000(myuser) gid=1000(myuser).

Checking the mounted folder and its content with ls -ld gives me the information that the folder is owned by user nobody and user nogroup.

Maybe someone can give me a hint what I may have missed.

Thanks :)
 
linesquarecube said:
Hi everyone. I'm quite new to Proxmox and maybe need some advice.
Mounting itself works fine with the tutorial, but no matter what I try, I get some permission errors when handing over the NFS shares to the LXC.
My mount options in OpenMediaVault contain anongid=101000,anonuid=101000, as I have a user inside the LXC with uid=1000(myuser) gid=1000(myuser).

Checking the mounted folder and its content with ls -ld gives me the information that the folder is owned by user nobody and user nogroup.

Maybe someone can give me a hint what I may have missed.

Thanks :)
Click to expand...

My situation is somewhat similar, but not sure if related.

I am trying to map Synology NAS to unprivileged LXC to use with Jellyfin. Mapping on NODE works fine, I have all the permissions and full access:

Code: 
root@pve:~# ls -l /mnt
total 32
drwxrwxrwx 7 1005 1005 4096 Aug 19 23:22 nfs_nas_data
drwxrwxrwx 7 1005 1005 4096 Aug 21 14:22 nfs_nas_downloads
drwxrwxrwx 7 1005 1005 4096 Aug 20 19:35 nfs_nas_media

Unfortunately, on LXC things goes wrong:

Code: 
root@jellyfin:~# ls -l /mnt
total 24
d--------- 7 nobody nogroup 4096 Aug 19 20:22 data
d--------- 7 nobody nogroup 4096 Aug 21 11:22 downloads
d--------- 7 nobody nogroup 4096 Aug 20 16:35 media

I think all this Unprivileged_LXC_containers and this Understanding LXC UID Mappings mess is at fault and I cannot wrap my head around it for the second day. I am thinking about just dropping the unprivileged LXC idea and going to privileged. It is a home setup after all.

I am sure some very important step is missing in this tutorial, but I do not know what.
 
After some trial and error, I realized that the ownership problem of the folder is less important for me. I'm running Syncthing in the LXC, and as it is able to write to the share and I have no rights problems on other machines, I stopped looking deeper into this problem. Maybe it works because the folders inside the mount that I sync to have the proper rights attached to them.

Sorry that I cannot provide any help :confused:
 
evanb said:
Very cool but only problem is you can't take snapshots of the lxcs because of the mounts unfortunately.
Click to expand...
Hello, does anybody know the reason why this setup hinders snapshoting functionality?
I would love to have a) unprivileged CT with b) NFS share bind-mounted from the host and c) snapshot functionality for daily CT backups to PBS :)
So far it seems like keep dreaming...
Thanks in advance for any kind of hint or explanation.
 
Ľudovít Lučenič said:
Hello, does anybody know the reason why this setup hinders snapshoting functionality?
I would love to have a) unprivileged CT with b) NFS share bind-mounted from the host and c) snapshot functionality for daily CT backups to PBS :)
So far it seems like keep dreaming...
Thanks in advance for any kind of hint or explanation.
Click to expand...
AFAIK the short of it is:
  1. bind mounts don't make assumptions or expose many details about the underlying storage, they're treated as POSIX compatible file system mounts, nothing more
  2. in order to snapshot in an LXC, proxmox has to be sure that the entire filesystem can be snapshotted (ie it's an LVM, btrfs, etc)
  3. because of 1, there's no interfaces for the bind mount to let proxmox know "hey, i'm snapshot compatible, go ahead!", and it's not good to do a mystery "partial snapshot", since you could revert the snapshot but the bind mounts are still in whatever state they're in, and suddenly you have a state that isn't exactly when you made the snapshot.
So, stick with backup strategies that stop the container, back it up, then restore the system. Those don't require the underlying storage to support snapshots, and make no promises about the state of bind mounts.
 
I was getting a 'Permission Denied' error in the LXC containers.
The solution was to add 'all_squash' to the NFS share configuration on the NAS.
 
  • Like
Reactions: quepasa
My setup idea involves creating a user group that will be used for grouping users across all systems utilizing the NFS resource.

OpenMediaVault (OMV) Configuration​

  1. Create a Group in OMV (e.g., gnas)
    Navigate to: OMV -> Users -> Groups -> Create -> Name: gnas
  2. Ensure the Group gnas Has the Desired gid
    • Log in to the OMV terminal in Proxmox.
    • Set the gid, e.g., 1001:
      groupmod -g 1001 gnas
    • Verify using:
      cat /etc/group | grep gnas
  3. Override the gid on the Server by Setting Extra Options
    Navigate to: OMV -> Services -> NFS -> Shares -> Edit -> Extra options
    • Add the following:
      all_squash,anongid=1001
    • The complete entry should look like:
      subtree_check,insecure,all_squash,anongid=1001
  4. Set Permissions
    Navigate to: OMV -> Storage -> Shared Folders -> Permissions -> gnas -> Read/Write
  5. Set Access Control
    Navigate to: OMV -> Storage -> Shared Folders -> Access Control List
    • Under File Owner and Group, set Group: gnas.
    • Under File Access Control Lists, set gnas to Read/Write.

Local Machine Configuration​

  1. Create the Group gnas on Your Machine
    • Use your terminal to create the group gnas with the same gid 1001:
      groupadd -g 1001 gnas
  2. Add the Group to Your User
    • Add the group to your user:
      usermod -aG <your-username> gnas
    • Verify the group was added:
      groups <your-username>
  3. Mount the NFS Resource
    sudo mount -t nfs4 -o nfsvers=4.2 <your-ip>:/nasnfs ~/nas
    • Here, nasnfs is the name of the NFS resource, and ~/nas is the mount directory.
  4. Test File Creation with Group gnas
    • Create a test file:
      touch ~/nas/from_laptop
    • Check the file:
      ls -la ~/nas
      The file should be created by some user, but most importantly, it should belong to the group gnas.

Proxmox Server Configuration​

  1. Create the Group gnas on Proxmox
    • On the Proxmox node terminal, create the group gnas with the same gid 1001:
      groupadd -g 1001 gnas
  2. Add the Group to the root User
    • Add the group to the root user:
      usermod -aG root gnas
    • Verify the group was added:
      groups root
  3. Mount the NFS Resource
    sudo mount -t nfs4 -o nfsvers=4.2 <your-ip>:/nasnfs /nas
    • Here, nasnfs is the name of the NFS resource, and /nas is the mount directory.
  4. Test File Creation with Group gnas
    • Create a test file:
      touch /nas/from_proxmox
    • Check the file:
      ls -la /nas
      The file should be created by some user, but most importantly, it should belong to the group gnas.

LXC Container Configuration​

  1. Set up the Mount Point in the LXC Container
    • On the Proxmox terminal, set up the mount point using the command:
      pct set <lxc-container-id> -mp0 /nas,mp=/mnt/nasnfs
      • Here, /nas is the NFS resource directory mounted on Proxmox, and /mnt/nasnfs is the directory in the LXC container.
  2. Restart the LXC Container
  3. Create the Group gnas Inside the LXC Container
    • Log into the LXC container terminal and create the group gnas with the same gid 1001:
      groupadd -g 1001 gnas
  4. Add the Group to the User in the LXC Container
    • Add the group to a user (in this example, the root user):
      usermod -aG root gnas
  5. Test File Creation with Group gnas
    • Create a test file:
      touch /mnt/nasnfs/from_lxc
    • Check the file:
      ls -la /mnt/nasnfs
      The file should be created by some user, but most importantly, it should belong to the group gnas.
 
  • Like
Reactions: Pepper_Phil
dondizzurp said:
Found it. The problem was the squash option in the NFS permissions for the Synology shared folder. I had to change it to "map all users to admin"
Click to expand...
Thank you for the follow-up. This was the final piece for me to have my Synology NAS going into calibre-web in an LXC.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom