[Tutorial] Mounting NFS share to an unprivileged LXC

[CDuv]

Commands from step 7 (groupadd -g 10000 lxc_shares and usermod -aG lxc_shares root) aims to:

1. Create a group named "lxc_shares" with GID 10000.
2. Make the "root" user member of that new group (as a supplementary group, not changing it's primary group)

But the tutorial does not say:

• Why GID is "10000"? Proxmox's Unprivileged LXC containers wiki page mentions an 100000 offset.
• Where to execute those command:
  • on PVE host/node?
  • inside LXC? In such case they have to be adapted to the container's OS.

NB: I can access NFS share fine from PVE host/node.

---

Edit: According to @TheHellSite's tutorial, commands are to be executed in LXC.

So I've executed the 2 commands (their Alpine variant as my container is Alpine-based) for both LXC's root user and my first_user (UID 101).

My mp0 line is: mp0: /mnt/nfsshare/,mp=/foo.

But I get "ls: can't open '/foo': Permission denied" when I try to read the mountpoint with ls -al, both as root and first_user.

As "ls -dl /foo" shows, LXC's mountpoint is owned by nobody:nobody (UID=65534, GID=65534) with "0770/drwxrwx---" permissions:

# ls -dl /foo
drwxrwx---    4 nobody   nobody           4 Dec 25 23:23 /foo

According to this https://www.reddit.com/r/Proxmox/comments/1jmi7k1/permission_errors_in_an_unprivileged_lxc_after/ Reddit thread, I should have root:root as owner of the "/foo" mountpoint in LXC.

Stopping LXC, executing chown 100000:100000 /mnt/nfsshare on PVE host and restarting the LXC does not change anything (mountpoint "/foo" is still owned by nobody:nobody in LXC).

 

[barnfast]

This post was inspired by this guide created by @TheHellSite.

Thanks for showing everyone how you achieved this.

I used the same SMB/CIFS guide as you did. One of the shares began having hardlink/inode problems between the TrueNAS ZFS dataset and the CIFS mount on Proxmox, causing the noserverino flag to be forced on and hardlinks to fail entirely. After some research, I decided to try switching to NFS to prevent any suspected inode collisions. After some searching, I found your guide!

I had all of the permissions and passthrough's from TheHellSite's guide, and my LXCs and containers were all configured to use them, so I wasn't sure if it'd work. Fortunately, it did!

Briefly, all I had to do, was create an NFS share on the same dataset as CIFS, and then switch them over on the same mount point in the /etc/fstab

To convert from @TheHellSite 's CIFS Guide to @Blast12345 's NFS guide without reconfiguring my LXCs:

My TrueNAS server is 192.168.1.5
My ZFS Pool is 'pool'
My Dataset is 'dataset'

The short version is this:

root@proxmox:~# umount -v /mnt/lxc_shares/nas_data_rwx
    umount: /mnt/lxc_shares/nas_data_rwx (//192.168.1.5/dataset) unmounted
root@proxmox:~# nano /etc/fstab
root@proxmox:~# systemctl daemon-reload
root@proxmox:~# mount -a

Longer version:

1. Create a CIFS share on your NAS.

I used mapallusers and mapallgroups to force everyone accessing the share to have the same permissions. Not very security conscious, but it works for my usecase. There's probably a more elegant and secure solution to be had here.
2. Unmount your CIFS mount point. umount -v /mnt/mountpoint
3. Edit fstab nano /etc/fstab

I went from this:

# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)
//192.168.1.5/dataset/ /mnt/lxc_shares/nas_data_rwx cifs serverino,_netdev,x-systemd.automount,noatime,uid=101000,gid=110000,dir_mode=0770,file_mode=0770,user=redacted,pass=redacted 0 0

to this:

# Mount NFS share on demand with rwx permissions for use in LXCs (manually added)
192.168.1.5:/mnt/pool/dataset/ /mnt/lxc_shares/nas_data_rwx nfs defaults,hard,_netdev,x-systemd.automount,noatime,ac 0 0

3. Reload systemd: systemctl daemon-reload
4. Mount the new share: mount -a

Enjoy!