[TUTORIAL] Tutorial: Unprivileged LXCs - Mount CIFS shares
- Thread starter TheHellSite
- Start date
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Another simpler way is to mount the share at the point you want it on the lxc disk from the host.
Seem to be a lot more responsive too.
You follow the first few step and instead of creating a mp in the lxc, just make the fstab mount point something like:
/zfs10-pool/subvol-106-disk-0/srv/nas-share
Once it's mounted the lxc sees it immediately and it can be mounted and unmounted from the host without restarting the container.
Just make sure permissions on the folder are right in the lxc and the share. eg fstab line:
Seem to be a lot more responsive too.
You follow the first few step and instead of creating a mp in the lxc, just make the fstab mount point something like:
/zfs10-pool/subvol-106-disk-0/srv/nas-share
Once it's mounted the lxc sees it immediately and it can be mounted and unmounted from the host without restarting the container.
Just make sure permissions on the folder are right in the lxc and the share. eg fstab line:
ggldrive: /zfs10-pool/subvol-103-disk-0/srv/storage/ggldrive/ rclone noauto,rw,args2env,allow_other,gid=100100,uid=101000,file_perms=0660,dir_perms=0770,config=/root/.config/rclone/rclone.conf,vfs_cache_mode=full,cache_dir=/var/cache/rclone/ggldrive 0 0Excellent guide! Thank you so much!
This worked well for me running a domain setup. Here are my particulars:
This worked well for me running a domain setup. Here are my particulars:
- Running TrueNas Scale in a VM
- Active Directory Domain - you must use an AD account for CIFS shares. Leave it wide open in Truenas and manage access in AD.
- fstab must include domain info. Easiest to use a separate file. fstab line option: "credentials=/location/filename". I placed it in /root/
- Credentials file needs 3 lines:
- username=<username>
- password=<password>
- domain=<domain-name>
- Credentials file needs 3 lines:
- I am running Docker/Portainer in 1 of my containers. Make sure you set the ENV PGID=10000 (to make the setup)
Last edited:
Can you elaborate a bit more on this and give a minimal working example for a CIFS share (step by step)?Another simpler way is to mount the share at the point you want it on the lxc disk from the host.
Seem to be a lot more responsive too.
You follow the first few step and instead of creating a mp in the lxc, just make the fstab mount point something like:
/zfs10-pool/subvol-106-disk-0/srv/nas-share
Once it's mounted the lxc sees it immediately and it can be mounted and unmounted from the host without restarting the container.
Just make sure permissions on the folder are right in the lxc and the share. eg fstab line:
ggldrive: /zfs10-pool/subvol-103-disk-0/srv/storage/ggldrive/ rclone noauto,rw,args2env,allow_other,gid=100100,uid=101000,file_perms=0660,dir_perms=0770,config=/root/.config/rclone/rclone.conf,vfs_cache_mode=full,cache_dir=/var/cache/rclone/ggldrive 0 0
I understood some aspects of it but not all.
@TheHellSite, it's really very simple. No need for complex steps.
Just mount your cifs share the same way you normally do, but mount it under the lxc disk.
That share is then visible from the container and can be accessed as if it was part of the guest filesystem.
eg:
host # mount -t cifs -o username=<win_share_user> //WIN_SHARE_IP/<share_name> /zfs10-pool/subvol-103-disk-0/srv/<share_name>
guest # ls /srv/<share_name>
windows_files
I'm actually mounting several cloud storage devices at that location and resharing them with the guest as a windows samba server so the whole network can access those cloud storage systems with a single windows share
Just mount your cifs share the same way you normally do, but mount it under the lxc disk.
That share is then visible from the container and can be accessed as if it was part of the guest filesystem.
eg:
host # mount -t cifs -o username=<win_share_user> //WIN_SHARE_IP/<share_name> /zfs10-pool/subvol-103-disk-0/srv/<share_name>
guest # ls /srv/<share_name>
windows_files
I'm actually mounting several cloud storage devices at that location and resharing them with the guest as a windows samba server so the whole network can access those cloud storage systems with a single windows share
Okay, I understand. Very clever indeed. However this will only work if your LXCs are stored on a ZFS/BTRFS volume.@TheHellSite, it's really very simple. No need for complex steps.
Just mount your cifs share the same way you normally do, but mount it under the lxc disk.
That share is then visible from the container and can be accessed as if it was part of the guest filesystem.
eg:
host # mount -t cifs -o username=<win_share_user> //WIN_SHARE_IP/<share_name> /zfs10-pool/subvol-103-disk-0/srv/<share_name>
guest # ls /srv/<share_name>
windows_files
I'm actually mounting several cloud storage devices at that location and resharing them with the guest as a windows samba server so the whole network can access those cloud storage systems with a single windows share
Therefore I still prefer my solution since it works with any type of storage.
Last edited:
I think that many people, including me, are using ext4 (Directory) as type for their VM/LXC storage.
Why? Because ZFS on consumer grade SSDs tends to cause problems due to the lack of available cache.
Your solution makes use of a feature called "subvolumes" that not all filesystems support (f.e. ext4).
Why? Because ZFS on consumer grade SSDs tends to cause problems due to the lack of available cache.
Your solution makes use of a feature called "subvolumes" that not all filesystems support (f.e. ext4).
Last edited:
If you are refering to subvol names in the path , this has nothing to do with ZFS, it is the usual path of a lxc container location seen from the host.I think that many people, including me, are using ext4 (Directory) as type for their VM/LXC storage.
Why? Because ZFS on consumer grade SSDs tends to cause problems due to the lack of available cache.
Your solution makes use of a feature called "subvolumes" that not all filesystems support (f.e. ext4).
My 0.2 cents.
I've tried this tutorial and followed the steps. I can see the remote share with 'ls /mnt/lxc_shares/nas_rwx/'. Have also created the group, added the lxc user and the 100.conf has the mp0 entry, generated from the command.
But when I start the lxc, 'ls /mnt' is empty. Is there something more necessary in the container?
edit:
I have tried now in another lxc and it works. The difference that I see is that the not working lxc has some snapshots and the mp is added to the last. But this looks ok?
edit2:
ok it works, I have moved the mp0 entry to the first block in the 100.conf file.
thanks, Johannes
But when I start the lxc, 'ls /mnt' is empty. Is there something more necessary in the container?
edit:
I have tried now in another lxc and it works. The difference that I see is that the not working lxc has some snapshots and the mp is added to the last. But this looks ok?
edit2:
ok it works, I have moved the mp0 entry to the first block in the 100.conf file.
thanks, Johannes
Last edited:
https://www.closingtags.com/writing-to-bind-mounts-from-unprivileged-lxc-containers/
This worked for me, just use the user permission functions that proxmox has already kindly built in
This worked for me, just use the user permission functions that proxmox has already kindly built in
This is exactly what I've been trying to find for my plex container.
I can currently Filezilla FTP into the host and drop files into the mount point for my unprivileged lxc container to access. However, I feel this is... not best practice?
So I would like to share the lxc mount point folder via my network so I can access it anywhere and drop files in as needed. I did what you have above and everything seems to have gone through OK. (I added root instead of making a new user... don't know how lol). But when I try to access it in say windows 10 - \\192.168.2.42\mnt\plex, where this is the ip of my plex container, it says it can't find it. When a "media_library" folder should pop up.
I can currently Filezilla FTP into the host and drop files into the mount point for my unprivileged lxc container to access. However, I feel this is... not best practice?
So I would like to share the lxc mount point folder via my network so I can access it anywhere and drop files in as needed. I did what you have above and everything seems to have gone through OK. (I added root instead of making a new user... don't know how lol). But when I try to access it in say windows 10 - \\192.168.2.42\mnt\plex, where this is the ip of my plex container, it says it can't find it. When a "media_library" folder should pop up.
Last edited:
Hello there,
first of all: Thanks for this tutorial! It helped me to configure a paperless-ngx LXC in a way that all documents are stored on a NAS within my network.
There is one thing I haven't figured out, yet. When I try to migrate the LXC from one node to another the process gets aborted:
As a workaround I can remove the bind mount before migration an add it again afterwards. But thats only an option when migrating manually. My goal is to add this LXC to HA live migration.
Is there something I'm missing?
Update / Solution:
As the official documentation states you can exclude mount points from replication by setting 'replicate=0'. After adjusting my LXC_ID.conf accordingly everything went fine.
Here is my final mount:
first of all: Thanks for this tutorial! It helped me to configure a paperless-ngx LXC in a way that all documents are stored on a NAS within my network.
There is one thing I haven't figured out, yet. When I try to migrate the LXC from one node to another the process gets aborted:
2023-12-09 19:44:08 shutdown CT 106
2023-12-09 19:44:10 starting migration of CT 106 to node 'pve1' (172.21.0.10)
2023-12-09 19:44:10 ignoring shared 'bind' mount point 'mp0' ('/mnt/lxc_shares/nas_rwx/')
2023-12-09 19:44:10 found local volume 'vmpool:subvol-106-disk-0' (in current VM config)
2023-12-09 19:44:10 start replication job
2023-12-09 19:44:10 end replication job with error: unable to replicate mountpoint type 'bind'
2023-12-09 19:44:10 ERROR: unable to replicate mountpoint type 'bind'
As a workaround I can remove the bind mount before migration an add it again afterwards. But thats only an option when migrating manually. My goal is to add this LXC to HA live migration.
Is there something I'm missing?
Update / Solution:
As the official documentation states you can exclude mount points from replication by setting 'replicate=0'. After adjusting my LXC_ID.conf accordingly everything went fine.
Here is my final mount:
Code:
mp0: /mnt/share/ds718/paperless-ngx/,mp=/mnt/nas,replicate=0,shared=1
Last edited:
I have a major problem; I had Plex installed under Proxmox and Debian container as LXC.
Previously, I used to mount the SMB shares using this command:
'mount -t cifs -o rw,vers=3.0,credentials=/root/.smbcredentials //192.168.178.86/j /mnt/j.' in LXE Host
However, the share arrived in the Plex LXC container with the user group 'nobody/nogroup.'
This allowed me to at least read files in Plex (media library).
Now, for the future and to have write permissions on the SMB shares, I followed this guide and implemented the shares in fstab.
The strange thing is, the /mnt shares are correctly mounted and displayed in the command line on container 107 in Plex LXC.
But as soon as I start Plex and try to add the drives as Media Library for movies, I cannot see any files or folders.
I always bypassed the shares to the respective container under Proxmox, for example: 'pct set 107 -mp0 /mnt/j,mp=/mnt/j.'
Could it be that Plex was installed under a different user?
Is it possible to change the user rights of Plex or the container so that I can see files within the program itself?
I don't understand exactly what I did wrong.
this is 107.conf:
this is fstab:
Previously, I used to mount the SMB shares using this command:
'mount -t cifs -o rw,vers=3.0,credentials=/root/.smbcredentials //192.168.178.86/j /mnt/j.' in LXE Host
However, the share arrived in the Plex LXC container with the user group 'nobody/nogroup.'
This allowed me to at least read files in Plex (media library).
Now, for the future and to have write permissions on the SMB shares, I followed this guide and implemented the shares in fstab.
The strange thing is, the /mnt shares are correctly mounted and displayed in the command line on container 107 in Plex LXC.
But as soon as I start Plex and try to add the drives as Media Library for movies, I cannot see any files or folders.
I always bypassed the shares to the respective container under Proxmox, for example: 'pct set 107 -mp0 /mnt/j,mp=/mnt/j.'
Could it be that Plex was installed under a different user?
Is it possible to change the user rights of Plex or the container so that I can see files within the program itself?
I don't understand exactly what I did wrong.
this is 107.conf:
Code:
arch: amd64
cores: 4
features: nesting=1
hostname: pPlex
memory: 4096
mp0: /mnt/lxc_shares/e,mp=/mnt/e
mp1: /mnt/lxc_shares/f,mp=/mnt/f
mp2: /mnt/lxc_shares/g,mp=/mnt/g
mp3: /mnt/lxc_shares/h,mp=/mnt/h
mp4: /mnt/lxc_shares/i,mp=/mnt/i
mp5: /mnt/lxc_shares/j,mp=/mnt/j
mp6: /mnt/lxc_shares/e,mp=/mnt/lxc_shares/e,shared=1
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:52:57:C6,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-107-disk-0,size=8G
swap: 4096
unprivileged: 1this is fstab:
Code:
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/pve/root / ext4 errors=remount-ro 0 1
UUID=F2E8-1C20 /boot/efi vfat defaults 0 1
/dev/pve/swap none swap sw 0 0
proc /proc proc defaults 0 0
# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)
#//192.168.178.86/e/ /mnt/lxc_shares/e cifs _netdev,x-systemd.automount,noatime,uid=10000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/e/ /mnt/lxc_shares/e cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/f/ /mnt/lxc_shares/f cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/g/ /mnt/lxc_shares/g cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/h/ /mnt/lxc_shares/h cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/i/ /mnt/lxc_shares/i cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/j/ /mnt/lxc_shares/j cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/ebooks/ /mnt/lxc_shares/ebooks cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/music/ /mnt/lxc_shares/music cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
Last edited:
Would this work with 1) a share from a VM on the same machine as the unprivileged LXC?, and 2) an NFS instead of CIFS share?
I ran into this same issue. It's a permissions issue and I fixed it with (change dir_mode and file_mode) :I have a major problem; I had Plex installed under Proxmox and Debian container as LXC.
Previously, I used to mount the SMB shares using this command:
'mount -t cifs -o rw,vers=3.0,credentials=/root/.smbcredentials //192.168.178.86/j /mnt/j.' in LXE Host
However, the share arrived in the Plex LXC container with the user group 'nobody/nogroup.'
This allowed me to at least read files in Plex (media library).
Now, for the future and to have write permissions on the SMB shares, I followed this guide and implemented the shares in fstab.
The strange thing is, the /mnt shares are correctly mounted and displayed in the command line on container 107 in Plex LXC.
But as soon as I start Plex and try to add the drives as Media Library for movies, I cannot see any files or folders.
I always bypassed the shares to the respective container under Proxmox, for example: 'pct set 107 -mp0 /mnt/j,mp=/mnt/j.'
Could it be that Plex was installed under a different user?
Is it possible to change the user rights of Plex or the container so that I can see files within the program itself?
I don't understand exactly what I did wrong.
this is 107.conf:
Code:arch: amd64 cores: 4 features: nesting=1 hostname: pPlex memory: 4096 mp0: /mnt/lxc_shares/e,mp=/mnt/e mp1: /mnt/lxc_shares/f,mp=/mnt/f mp2: /mnt/lxc_shares/g,mp=/mnt/g mp3: /mnt/lxc_shares/h,mp=/mnt/h mp4: /mnt/lxc_shares/i,mp=/mnt/i mp5: /mnt/lxc_shares/j,mp=/mnt/j mp6: /mnt/lxc_shares/e,mp=/mnt/lxc_shares/e,shared=1 net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:52:57:C6,ip=dhcp,type=veth onboot: 1 ostype: debian rootfs: local-lvm:vm-107-disk-0,size=8G swap: 4096 unprivileged: 1
this is fstab:
Code:# <file system> <mount point> <type> <options> <dump> <pass> /dev/pve/root / ext4 errors=remount-ro 0 1 UUID=F2E8-1C20 /boot/efi vfat defaults 0 1 /dev/pve/swap none swap sw 0 0 proc /proc proc defaults 0 0 # Mount CIFS share on demand with rwx permissions for use in LXCs (manually added) #//192.168.178.86/e/ /mnt/lxc_shares/e cifs _netdev,x-systemd.automount,noatime,uid=10000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0 //192.168.178.86/e/ /mnt/lxc_shares/e cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0 //192.168.178.86/f/ /mnt/lxc_shares/f cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0 //192.168.178.86/g/ /mnt/lxc_shares/g cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0 //192.168.178.86/h/ /mnt/lxc_shares/h cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0 //192.168.178.86/i/ /mnt/lxc_shares/i cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0 //192.168.178.86/j/ /mnt/lxc_shares/j cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0 //192.168.178.86/ebooks/ /mnt/lxc_shares/ebooks cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0 //192.168.178.86/music/ /mnt/lxc_shares/music cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
Code:
{ echo '' ; echo '# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)' ; echo '//NAS/nas/ /mnt/lxc_shares/nas_rwx cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0777,file_mode=0774,user=smb_username,pass=smb_password 0 0' ; } | tee -a /etc/fstabNote that I didn't say the way I fixed it is the best/most secure way. Just that plex can see the subfolders now.
Thank you for the tutorial and I appreciate everyone's discussion here. I would like to make my LXC 'migratable' around my cluster.
My question: Is there a reason not to bind the mount point created when adding a SMB/CIFS share to the datacenter storage? This looks like it is automatically mounted under /mnt/pve on all hosts that the storage is assigned to. Looking at the reply below as a starting point.
My question: Is there a reason not to bind the mount point created when adding a SMB/CIFS share to the datacenter storage? This looks like it is automatically mounted under /mnt/pve on all hosts that the storage is assigned to. Looking at the reply below as a starting point.
Thanks for this post, extremely helpful!
One minor addition, adding ",shared=1" to the end of the bind mount line in /etc/pve/lxc/LXC_ID.conf will enable that container to be migrated across Proxmox nodes. It basically tells Proxmox to ignore the bind mounts, and without it will refuse to migrate. Of course if you don't have those CIFS mounts on the target node, I expect something would go poorly, but I didn't test that-- with the same CIFS mounts on every node it works perfectly.