[Tutorial] Mounting NFS share to an unprivileged LXC

[ellisd]

I registered just to thank you for this tutorial

 

[linesquarecube]

Hi everyone. I'm quite new to Proxmox and maybe need some advice.
Mounting itself works fine with the tutorial, but no matter what I try, I get some permission errors when handing over the NFS shares to the LXC.
My mount options in OpenMediaVault contain anongid=101000,anonuid=101000, as I have a user inside the LXC with uid=1000(myuser) gid=1000(myuser).

Checking the mounted folder and its content with ls -ld gives me the information that the folder is owned by user nobody and user nogroup.

Maybe someone can give me a hint what I may have missed.

Thanks

 

[umunas]

Hi everyone. I'm quite new to Proxmox and maybe need some advice.
Mounting itself works fine with the tutorial, but no matter what I try, I get some permission errors when handing over the NFS shares to the LXC.
My mount options in OpenMediaVault contain anongid=101000,anonuid=101000, as I have a user inside the LXC with uid=1000(myuser) gid=1000(myuser).

Checking the mounted folder and its content with ls -ld gives me the information that the folder is owned by user nobody and user nogroup.

Maybe someone can give me a hint what I may have missed.

Thanks

My situation is somewhat similar, but not sure if related.

I am trying to map Synology NAS to unprivileged LXC to use with Jellyfin. Mapping on NODE works fine, I have all the permissions and full access:

root@pve:~# ls -l /mnt
total 32
drwxrwxrwx 7 1005 1005 4096 Aug 19 23:22 nfs_nas_data
drwxrwxrwx 7 1005 1005 4096 Aug 21 14:22 nfs_nas_downloads
drwxrwxrwx 7 1005 1005 4096 Aug 20 19:35 nfs_nas_media

Unfortunately, on LXC things goes wrong:

root@jellyfin:~# ls -l /mnt
total 24
d--------- 7 nobody nogroup 4096 Aug 19 20:22 data
d--------- 7 nobody nogroup 4096 Aug 21 11:22 downloads
d--------- 7 nobody nogroup 4096 Aug 20 16:35 media

I think all this Unprivileged_LXC_containers and this Understanding LXC UID Mappings mess is at fault and I cannot wrap my head around it for the second day. I am thinking about just dropping the unprivileged LXC idea and going to privileged. It is a home setup after all.

I am sure some very important step is missing in this tutorial, but I do not know what.

 

[linesquarecube]

After some trial and error, I realized that the ownership problem of the folder is less important for me. I'm running Syncthing in the LXC, and as it is able to write to the share and I have no rights problems on other machines, I stopped looking deeper into this problem. Maybe it works because the folders inside the mount that I sync to have the proper rights attached to them.

Sorry that I cannot provide any help

 

[Ľudovít Lučenič]

Very cool but only problem is you can't take snapshots of the lxcs because of the mounts unfortunately.

Hello, does anybody know the reason why this setup hinders snapshoting functionality?
I would love to have a) unprivileged CT with b) NFS share bind-mounted from the host and c) snapshot functionality for daily CT backups to PBS
So far it seems like keep dreaming...
Thanks in advance for any kind of hint or explanation.

 

[profblackjack]

Hello, does anybody know the reason why this setup hinders snapshoting functionality?
I would love to have a) unprivileged CT with b) NFS share bind-mounted from the host and c) snapshot functionality for daily CT backups to PBS
So far it seems like keep dreaming...
Thanks in advance for any kind of hint or explanation.

AFAIK the short of it is:

1. bind mounts don't make assumptions or expose many details about the underlying storage, they're treated as POSIX compatible file system mounts, nothing more
2. in order to snapshot in an LXC, proxmox has to be sure that the entire filesystem can be snapshotted (ie it's an LVM, btrfs, etc)
3. because of 1, there's no interfaces for the bind mount to let proxmox know "hey, i'm snapshot compatible, go ahead!", and it's not good to do a mystery "partial snapshot", since you could revert the snapshot but the bind mounts are still in whatever state they're in, and suddenly you have a state that isn't exactly when you made the snapshot.

So, stick with backup strategies that stop the container, back it up, then restore the system. Those don't require the underlying storage to support snapshots, and make no promises about the state of bind mounts.

 

[Nicowars]

I was getting a 'Permission Denied' error in the LXC containers.
The solution was to add 'all_squash' to the NFS share configuration on the NAS.

 

[quepasa]

I was getting a 'Permission Denied' error in the LXC containers.
The solution was to add 'all_squash' to the NFS share configuration on the NAS.

Thanks for this. Finally got my NFS share usable in my LXC.

 

[darkin1]

My setup idea involves creating a user group that will be used for grouping users across all systems utilizing the NFS resource.

OpenMediaVault (OMV) Configuration​

1. Create a Group in OMV (e.g., gnas)
   Navigate to: OMV -> Users -> Groups -> Create -> Name: gnas
2. Ensure the Group gnas Has the Desired gid
   • Log in to the OMV terminal in Proxmox.
   • Set the gid, e.g., 1001:
     groupmod -g 1001 gnas
   • Verify using:
     cat /etc/group | grep gnas
3. Override the gid on the Server by Setting Extra Options
   Navigate to: OMV -> Services -> NFS -> Shares -> Edit -> Extra options
   • Add the following:
     all_squash,anongid=1001
   • The complete entry should look like:
     subtree_check,insecure,all_squash,anongid=1001
4. Set Permissions
   Navigate to: OMV -> Storage -> Shared Folders -> Permissions -> gnas -> Read/Write
5. Set Access Control
   Navigate to: OMV -> Storage -> Shared Folders -> Access Control List
   • Under File Owner and Group, set Group: gnas.
   • Under File Access Control Lists, set gnas to Read/Write.

---

Local Machine Configuration​

1. Create the Group gnas on Your Machine
   • Use your terminal to create the group gnas with the same gid 1001:
     groupadd -g 1001 gnas
2. Add the Group to Your User
   • Add the group to your user:
     usermod -aG <your-username> gnas
   • Verify the group was added:
     groups <your-username>
3. Mount the NFS Resource
   sudo mount -t nfs4 -o nfsvers=4.2 <your-ip>:/nasnfs ~/nas
   • Here, nasnfs is the name of the NFS resource, and ~/nas is the mount directory.
4. Test File Creation with Group gnas
   • Create a test file:
     touch ~/nas/from_laptop
   • Check the file:
     ls -la ~/nas
     The file should be created by some user, but most importantly, it should belong to the group gnas.

---

Proxmox Server Configuration​

1. Create the Group gnas on Proxmox
   • On the Proxmox node terminal, create the group gnas with the same gid 1001:
     groupadd -g 1001 gnas
2. Add the Group to the root User
   • Add the group to the root user:
     usermod -aG root gnas
   • Verify the group was added:
     groups root
3. Mount the NFS Resource
   sudo mount -t nfs4 -o nfsvers=4.2 <your-ip>:/nasnfs /nas
   • Here, nasnfs is the name of the NFS resource, and /nas is the mount directory.
4. Test File Creation with Group gnas
   • Create a test file:
     touch /nas/from_proxmox
   • Check the file:
     ls -la /nas
     The file should be created by some user, but most importantly, it should belong to the group gnas.

---

LXC Container Configuration​

1. Set up the Mount Point in the LXC Container
   • On the Proxmox terminal, set up the mount point using the command:
     pct set <lxc-container-id> -mp0 /nas,mp=/mnt/nasnfs
     • Here, /nas is the NFS resource directory mounted on Proxmox, and /mnt/nasnfs is the directory in the LXC container.
2. Restart the LXC Container
3. Create the Group gnas Inside the LXC Container
   • Log into the LXC container terminal and create the group gnas with the same gid 1001:
     groupadd -g 1001 gnas
4. Add the Group to the User in the LXC Container
   • Add the group to a user (in this example, the root user):
     usermod -aG root gnas
5. Test File Creation with Group gnas
   • Create a test file:
     touch /mnt/nasnfs/from_lxc
   • Check the file:
     ls -la /mnt/nasnfs
     The file should be created by some user, but most importantly, it should belong to the group gnas.

 

[ericcl]

Found it. The problem was the squash option in the NFS permissions for the Synology shared folder. I had to change it to "map all users to admin"

Thank you for the follow-up. This was the final piece for me to have my Synology NAS going into calibre-web in an LXC.

 

[yoehoehne]

Found it. The problem was the squash option in the NFS permissions for the Synology shared folder. I had to change it to "map all users to admin"

This worked for me as well when getting the "Permission denied" issue.

 

[ewagar]

This post was inspired by this guide created by @TheHellSite.

Registered just to say THANKS! Yours was much easier to understand.

 

[PeteDD]

This post was inspired by this guide created by @TheHellSite.

My goal is to set up a torrent LXC such that it would torrent an Ubuntu iso to an Unraid share.

It seems that there are many ways to approach this, but I struggled to find a guide that fit my needs. Having finally found a solution, I felt it appropriate to post my process in hopes that it helps others.

The Setup​

Note: IP addresses, folder names, etc are just examples. Substitute as needed.

• Proxmox is installed on Computer 1
  • Has the static IP 192.168.1.10
  • Contains a torrent LXC with an ID of 101
• Unraid is installed on Computer 2
  • Has the static IP 192.168.1.20
  • Contains a share called downloads
  • The share allows NFS and has granted read/write permission to 192.168.1.10 (Computer 1)

Option 1​

The goal can be accomplished by adding the NFS share to your Datacenter in Proxmox. You can then mount the new storage device to the torrent LXC, however the LXC must be privileged and have the NFS feature turned on.

While this does work, Proxmox will automatically create folders based on the Content types you enabled when adding the storage device. This may be reasonable in certain situations, but none of the content types fit my use-case. I attempted to delete the directories, but they would regenerate.

Additionally, the use of a privileged LXC seems to be undesirable.

With those issues in mind, I chose to explore other options.

Option 2​

I followed the instructions posted by @TheHellSite in the above thread. I had no problems with the setup process, but I unfortunately experienced poor torrenting speeds.

I'm not intimately familiar with the implementation details of SMB/CIFS or torrents, but my rough understanding is that:

• SMB is not very performant when dealing with many small files
• Torrenting downloads many small chunks of the desired content in parallel

This could explain the poor performance, but that is just a guess. In any case, this option does not suit my needs.

Option 3 (my solution)​

Having learned a lot from Option 2, I decided to attempt to mount an NFS share without the Proxmox GUI.

1. Access your nodes shell
   1. Proxmox > Your Node > Shell
2. Create a mounting point for the share
   1. mkdir /mnt/computer2/downloads
3. Edit fstabso that the share mounts automatically on reboot
   1. Open: nano /etc/fstab
   2. Add: 192.168.1.20:/mnt/user/downloads/ /mnt/computer2/downloads nfs defaults 0 0
   3. Save
4. Mount the share
   1. Reload systemd: systemctl daemon-reload
   2. Mount shares: mount -a
5. Add the pointing point to your LXC
   1. Open: nano /etc/pve/lxc/101.conf
   2. Add: mp0: /mnt/computer2/downloads/,mp=/downloads
   3. Save
6. Start the LXC
7. Update the LXC user's permissions
   1. groupadd -g 10000 lxc_shares
      1. Note: I think you can use whatever group name you want as long as you use again in the next step.
   2. usermod -aG lxc_shares root
      1. Note: Your username is probably root, but substitute for whatever user you want to configure permissions for.
   3. Reboot the LXC
   4. Verify permissions
      1. Create a file in your mountpoint: touch foobar
      2. Attempt to delete foobar from another machine.
      3. If successful, you should be done.

This seems to mount the NFS share without creating extra files and the download speeds are great. The Ubuntu iso torrent peaked at 85 MB/s. I am satisfied.

Closing​

This goal provided me with a good learning opportunity and I'm appreciative of the vast amounts of community discussion on here, Reddit, blog posts, etc. I hope this post helps others as much as the other discussions helped me.

Also - I'm very new to Proxmox and, while I have some experience with Linux CLI, I'd hardly say that I'm experienced. If you find any issues in my solution, please let me know and I will try to make edits when appropriate.

Edits​

1. Added permission configuration to Option 3.
   1. Context: I deleted by torrent LXC after concluding a test, but forgot to delete the Ubuntu ISO first. I attempted to delete the file from my personal computer, but was unable to because of permission issues. I ended up needing to format the NAS (though fortunately nothing else was on it).
2. Removed uid=100000,gid=110000from the NFS configuration in Step 3.
   1. Context: uid and gid are not valid settings for NFS. So far as I can tell, this isn't really an issue. I speculate that it may be a pain if you want to manage the files directly from your node's shell, but I think you just as easily create a user with the appropriate UID and GID.

Thanks for that great tutorial. Option 3 is the bomb!