[Tutorial] Mounting NFS share to an unprivileged LXC

[CDuv]

Commands from step 7 (groupadd -g 10000 lxc_shares and usermod -aG lxc_shares root) aims to:

1. Create a group named "lxc_shares" with GID 10000.
2. Make the "root" user member of that new group (as a supplementary group, not changing it's primary group)

But the tutorial does not say:

• Why GID is "10000"? Proxmox's Unprivileged LXC containers wiki page mentions an 100000 offset.
• Where to execute those command:
  • on PVE host/node?
  • inside LXC? In such case they have to be adapted to the container's OS.

NB: I can access NFS share fine from PVE host/node.

---

Edit: According to @TheHellSite's tutorial, commands are to be executed in LXC.

So I've executed the 2 commands (their Alpine variant as my container is Alpine-based) for both LXC's root user and my first_user (UID 101).

My mp0 line is: mp0: /mnt/nfsshare/,mp=/foo.

But I get "ls: can't open '/foo': Permission denied" when I try to read the mountpoint with ls -al, both as root and first_user.

As "ls -dl /foo" shows, LXC's mountpoint is owned by nobody:nobody (UID=65534, GID=65534) with "0770/drwxrwx---" permissions:

# ls -dl /foo
drwxrwx---    4 nobody   nobody           4 Dec 25 23:23 /foo

According to this https://www.reddit.com/r/Proxmox/comments/1jmi7k1/permission_errors_in_an_unprivileged_lxc_after/ Reddit thread, I should have root:root as owner of the "/foo" mountpoint in LXC.

Stopping LXC, executing chown 100000:100000 /mnt/nfsshare on PVE host and restarting the LXC does not change anything (mountpoint "/foo" is still owned by nobody:nobody in LXC).

 

[barnfast]

This post was inspired by this guide created by @TheHellSite.

Thanks for showing everyone how you achieved this.

I used the same SMB/CIFS guide as you did. One of the shares began having hardlink/inode problems between the TrueNAS ZFS dataset and the CIFS mount on Proxmox, causing the noserverino flag to be forced on and hardlinks to fail entirely. After some research, I decided to try switching to NFS to prevent any suspected inode collisions. After some searching, I found your guide!

I had all of the permissions and passthrough's from TheHellSite's guide, and my LXCs and containers were all configured to use them, so I wasn't sure if it'd work. Fortunately, it did!

Briefly, all I had to do, was create an NFS share on the same dataset as CIFS, and then switch them over on the same mount point in the /etc/fstab

To convert from @TheHellSite 's CIFS Guide to @Blast12345 's NFS guide without reconfiguring my LXCs:

My TrueNAS server is 192.168.1.5
My ZFS Pool is 'pool'
My Dataset is 'dataset'

The short version is this:

root@proxmox:~# umount -v /mnt/lxc_shares/nas_data_rwx
    umount: /mnt/lxc_shares/nas_data_rwx (//192.168.1.5/dataset) unmounted
root@proxmox:~# nano /etc/fstab
root@proxmox:~# systemctl daemon-reload
root@proxmox:~# mount -a

Longer version:

1. Create a CIFS share on your NAS.

I used mapallusers and mapallgroups to force everyone accessing the share to have the same permissions. Not very security conscious, but it works for my usecase. There's probably a more elegant and secure solution to be had here.
2. Unmount your CIFS mount point. umount -v /mnt/mountpoint
3. Edit fstab nano /etc/fstab

I went from this:

# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)
//192.168.1.5/dataset/ /mnt/lxc_shares/nas_data_rwx cifs serverino,_netdev,x-systemd.automount,noatime,uid=101000,gid=110000,dir_mode=0770,file_mode=0770,user=redacted,pass=redacted 0 0

to this:

# Mount NFS share on demand with rwx permissions for use in LXCs (manually added)
192.168.1.5:/mnt/pool/dataset/ /mnt/lxc_shares/nas_data_rwx nfs defaults,hard,_netdev,x-systemd.automount,noatime,ac 0 0

3. Reload systemd: systemctl daemon-reload
4. Mount the new share: mount -a

Enjoy!

 

[pulipulichen]

Thank you for this helpful tutorial! It provides a clear path for those with full access to the PVE host.

I have a follow-up question regarding a more restricted environment:

What if the user does not have root access to the PVE node shell and cannot execute commands on the host?

In many managed or multi-tenant environments, a user might only have permissions to manage containers via the PVE Web GUI. Is there any known method to mount an NFS share to an unprivileged LXC solely through the Web interface or from within the container itself, without requiring host-level terminal intervention?

I understand that unprivileged containers have significant security restrictions regarding mounting network filesystems, but I’m wondering if there are workarounds (perhaps via FUSE or specific GUI-exposed features) that could bridge this gap.