[TUTORIAL] Tutorial: Unprivileged LXCs - Mount CIFS shares

Share is working fine on the host. Full access.

lxc config file:

Code:
arch: amd64
cores: 4
features: nesting=1
hostname: ch-Bibliothek
memory: 4096
mp0: /mnt/lxc_shares/nas_rwx/, mp=/mnt/nas
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.178.1,hwaddr=1A:14:7E:09:8C:79,ip=192.168.178.113/24,type=veth
ostype: debian
rootfs: Daten:113/vm-113-disk-0.raw,size=8G
swap: 4096
unprivileged: 1
 
Share is working fine on the host. Full access.

lxc config file:

Code:
arch: amd64
cores: 4
features: nesting=1
hostname: ch-Bibliothek
memory: 4096
mp0: /mnt/lxc_shares/nas_rwx/, mp=/mnt/nas
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.178.1,hwaddr=1A:14:7E:09:8C:79,ip=192.168.178.113/24,type=veth
ostype: debian
rootfs: Daten:113/vm-113-disk-0.raw,size=8G
swap: 4096
unprivileged: 1
Well, very closely compare your "mp0: ..." line with the one I provided in the tutorial, you should be able to spot the issue on your own.
If you would have just used my commands then the error wouldn't have happened.
 
Last edited:
I was wondering, do you ever get messages like this when shutting down or rebooting?

Code:
Feb 02 01:38:08 jellyfin systemd[1]: mnt-nas.mount: Mount process exited, code=exited, status=32/n/a
Feb 02 01:38:08 jellyfin systemd[1]: Failed unmounting /mnt/nas.

Rebooting is much slower depending on the number of mounts involved.
 
Last edited:
I was wondering, do you ever get messages like this when shutting down or rebooting?

Code:
Feb 02 01:38:08 jellyfin systemd[1]: mnt-nas.mount: Mount process exited, code=exited, status=32/n/a
Feb 02 01:38:08 jellyfin systemd[1]: Failed unmounting /mnt/nas.

Rebooting is much slower depending on the number of mounts involved.
Is this within the LXC or on the PVE host?

I don't have any delays rebooting / starting my Jellyfin LXC.
 
Last edited:
I am following this guide as I am struggling with a proxmox, an unpriviledged contailner running a docker compose with both gluetun and qbittorrent. I am close. however at point 2. I am supposed to add the user to the group. unfortunatelly I dont have a user (Plex, Jellyfin, etc) the qbittorrent container doesn't have a user therefore I am at a loss. Any hints on how to solve that would be appreciated.
 
I am following this guide as I am struggling with a proxmox, an unpriviledged contailner running a docker compose with both gluetun and qbittorrent. I am close. however at point 2. I am supposed to add the user to the group. unfortunatelly I dont have a user (Plex, Jellyfin, etc) the qbittorrent container doesn't have a user therefore I am at a loss. Any hints on how to solve that would be appreciated.
I don't understand where you're stuck? According to TheHellSite Step 1 is create user and shared folder, and add the user and the shared folder into group 1000 ( you do that in the LXC container). Step 2 is to do it in PVE Host , the don't understand your problem. What ever user name you created from step 1, should be the same user you must use in your qbittorrent on other apps. Where is the storage you are trying to mount in lxc? In the proxmox host or from NAS ???
 
Last edited:
I don't understand where you're stuck? According to TheHellSite Step 1 is create user and shared folder, and add the user and the shared folder into group 1000 ( you do that in the LXC container). Step 2 is to do it in PVE Host , the don't understand your problem. What ever user name you created from step 1, should be the same user you must use in your qbittorrent on other apps. Where is the storage you are trying to mount in lxc? In the proxmox host or from NAS ???
It's alright if you don't understand. I was hoping somebody else was in my situation while following this guide.
I read the instructions carefully. The first step is to create group. Not a user. I don't have any other users setup in my LCX (other than the ones created by the LCX itself. I checked with ~# cat /etc/passwd

Your statement:
What ever user name you created from step 1
is not correct. I haven't created a/another user. The docker LXC where I try to mount the shared CIFS does not have another user. But as somebody mentioned in the thread he used user 0 probably for the same reason. There may be security implications though. So I was wondering what was the correct workaround. I understand you got it working and I congratulate you, though. I got to do some more digging.
 
Last edited:
It's alright if you don't understand. I was hoping somebody else was in my situation while following this guide.
I read the instructions carefully. The first step is to create group. Not a user. I don't have any other users setup in my LCX (other than the ones created by the LCX itself. I checked with ~# cat /etc/passwd

Your statement:

is not correct. I haven't created a/another user. The docker LXC where I try to mount the shared CIFS does not have another user. But as somebody mentioned in the thread he used user 0 probably for the same reason. There may be security implications though. So I was wondering what was the correct workaround. I understand you got it working and I congratulate you, though. I got to do some more digging.
If just the root user exists can add that to the group?
 
  • Like
Reactions: dudeude
If just the root user exists can add that to the group?
That’s what I ended up doing, thanks. This was the obvious thing to do. I may redo the configuration at some point.
This container nor the share will be directly exposed to the world.

One more thing that I did and may help someone with an old NAS like mine. In the line with the username and password for the share I added “vers=2” otherwise it would not mount the share. I knew that from previous struggles.
 
Last edited:

Total linux noob alert!
I'm struggling mounting the share on PVE host, i managed to do it manually using the GUI but when i try using the command in step 3 i get this:
Code:
mount /mnt/lxc_shares/nas_rwx
Couldn't chdir to /mnt/lxc_shares/nas_rwx: No such device
even though i created the mount point with mkdir -p /mnt/lxc_shares/nas_rwx.

Also, when i try to cd /mnt/lxc_shares it works and if i ls in it i see nas_rwx
Code:
/mnt/lxc_shares# ls
nas_rwx
/mnt/lxc_shares# cd /mnt/lxc_shares/nas_rwx
-bash: cd: /mnt/lxc_shares/nas_rwx: No such device

I'm sure i'm missing something stupid..i apologize in advance.
 
Thank you for this. Working great.
Had to do one minor edit (due to me playing around :)).
The Lxc container needs the setting set to Protection: No. otherwise you will get a Permission Denied error when writing to the share.
 
Since unprivileged LXCs are not allowed to mount CIFS shares and priviliged LXCs are considered unsafe (for a reason) I was scraping my head around how to still have my NAS shares available in my LXCs, f.e. (Jellyfin, Plex, ...).

The solution provided by the Proxmox Wiki would require many changes to the PVE host config, which I was not willing to do.
https://pve.proxmox.com/wiki/Unprivileged_LXC_containers#Using_local_directory_bind_mount_points

Thanks to the following source I was able to assemble a solution that should work for everyone in under 10 minutes.
https://bayton.org/docs/linux/lxd/mount-cifssmb-shares-rw-in-lxd-containers/


How does it work?
By default CIFS shares are mounted as user root(uid=0) and group root(gid=0) on the PVE host which makes them inaccessible to other users,groups and LXCs.
This is because UIDs/GIDs on the PVE host and LXC guests are both starting at 0. But a UID/GID=0 in an unprivileged LXC is actually a UID/GID=100000 on the PVE host. See the above Proxmox Wiki link for more information on this.
@Jason Bayton's solution was to mount the share on the PVE host with the UID/GID of the LXC-User that is going to access the share. While this is working great for a single user it would not work for different LXCs with different users having different UIDs and GIDs. I mean it would work, but then you would have to create a single mount entry for your CIFS share for each UID/GID.

My solution is doing this slightly different and more effective I think.
You simply mount the CIFS share to the UID that belongs to the unprivileged LXC root user, which by default is always uid=100000.
But instead of also mounting it to the GID of the LXC root user, your are going to create a group in your LXC called lxc_cifs_shares with a gid=10000 which refers to gid=110000 on the PVE host.
PVE host (UID=100000/GID=110000) <--> unprivileged LXC (UID=0/GID=10000)


How to configure it

1. In the LXC (run commands as root user)

  1. Create the group "lxc_shares" with GID=10000 in the LXC which will match the GID=110000 on the PVE host.
    groupadd -g 10000 lxc_shares
  2. Add the user(s) that need access to the CIFS share to the group "lxc_shares".
    f.e.: jellyfin, plex, ... (the username depends on the application)
    usermod -aG lxc_shares USERNAME
  3. Shutdown the LXC.
2. On the PVE host (run commands as root user)
  1. Create the mount point on the PVE host.
    mkdir -p /mnt/lxc_shares/nas_rwx
  2. Add NAS CIFS share to /etc/fstab.
    _netdev Forces systemd to consider the mount unit a network mount.
    x-systemd.automount Automatically remounts the CIFS share in case the NAS went offline for some time.
    noatime Access timestamps are not updated when a file/folder is read.
    uid=100000,gid=110000 See part "How does it work?" paragraph two for explanation.
    dir_mode=0770,file_mode=0770 Only that uid/gid will have rwx access to the share. (PVE root user always has rwx to everything.)
    !!! Adjust //NAS/nas/ in the middle of the command to match your CIFS hostname (or IP) //NAS/ and the share name /nas/. !!!
    !!! Adjust user=smb_username,pass=smb_password at the end of the command. !!!

    Code:
    { echo '' ; echo '# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)' ; echo '//NAS/nas/ /mnt/lxc_shares/nas_rwx cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=smb_username,pass=smb_password 0 0' ; } | tee -a /etc/fstab
  3. Mount the share on the PVE host.
    mount /mnt/lxc_shares/nas_rwx
  4. Add a bind mount of the share to the LXC config.
    !!! Adjust the LXC_ID at the end of the command. !!!
    Code:
    You can mount it in the LXC with read+write+execute (rwx) permissions.
    { echo 'mp0: /mnt/lxc_shares/nas_rwx/,mp=/mnt/nas' ; } | tee -a /etc/pve/lxc/LXC_ID.conf
    
    You can also mount it in the LXC with read-only (ro) permissions.
    { echo 'mp0: /mnt/lxc_shares/nas_rwx/,mp=/mnt/nas,ro=1' ; } | tee -a /etc/pve/lxc/LXC_ID.conf
  5. Start the LXC.
I get stuck with step 3 and it get "resource busy error", any one else getting this?
I can go in to the NAS_rwx folder and can see the files from my nas share, does that mean that the mount already exists and probably why I am getting this error?
 
Last edited:
I get stuck with step 3 and it get "resource busy error", any one else getting this?
No issues here.

I can go in to the NAS_rwx folder and can see the files from my nas share, does that mean that the mount already exists and probably why I am getting this error?
Well, what do you think this means?
 
No issues here.


Well, what do you think this means?
Thanks for all the help, I finally sort it.
I deleted the container and started again.
Made the directory as suggest
I went to the fstab file and deleted the existing entry and re-run the command from point 3 above. Went into the lxc_share folder and checked the folders were pulling through from the share
Mounted the share and went into pve/lxc to check. I mistake I was making here was the LXC_ID, I was just changing the ID to match the ID of container and not replacing "LXC_ID".
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!