[TUTORIAL] Tutorial: Unprivileged LXCs - Mount CIFS shares

For those of us using Docker in an LXC container, and wish to mount one or more Windows Samba shares -- it seems this tutorial can be further simplified:

Assuming a fairly typical Docker container where UID and PID 1000 are being used, nothing needs to be done in the LXC container other than shutting it down.

As root on the PVE host, create the directories you'd like to mount to Samba shares. I have three to mount, so it looks like this:

Code:
mkdir /mnt/tv_series
mkdir /mnt/movies
mkdir /mnt/backup

These are the same names I used on the system I'm transferring these containers over from, to keep things easy.

Edit /etc/fstab similar to this (with appropriate modifications for your scenario), with your favorite editor -- I like WinSCP for this purpose (and for most PVE admin that can't be done from the WebUI): :)

Code:
//media-server/tv\040series /mnt/tv_series cifs x-systemd.automount,username=User\040Name,password=Password,uid=101000,gid=101000 0 0
//media-server/movies       /mnt/movies    cifs x-systemd.automount,username=User\040Name,password=Password,uid=101000,gid=101000 0 0
//media-server/backup       /mnt/backup    cifs x-systemd.automount,username=User\040Name,password=Password,uid=101000,gid=101000 0 0

Since Windows usernames and shares can have spaces in them -- note that I'm showing how to handle those above using \040 in place of the <space>. UID and PID 101000 on the host get translated to 1000 on the guest. mount -a will reload fstab, and make your shares live, which you can check from the command line or in WinSCP by navigating to your sub-directories under /mnt.

And lastly, the container config file, which in my case is /etc/pve/lxc/105.conf, needs to have lines added similar to these (adapted for your use-case of course):

Code:
mp0: /mnt/tv_series/,mp=/mnt/tv_series
mp1: /mnt/movies/,mp=/mnt/movies
mp3: /mnt/backup/,mp=/mnt/backup

Note that I'm using the same names for the container mount points as I am for the host mounts -- use different names if it suits, but keeping it consistent makes more sense to me. At this point you can startup your LXC container again. By doing it this way, nothing needed to happen with the nine container stack I brought over -- everything just worked as it had previously with Docker running on a Debian 11 bare metal host. The fstab lines above were brought over from my previous install, with only the UID and PID changed and x-systemd.automount added for better persistence.
 
Thanks a lot for this awesome Tutorial. I managed to do all steps and see my CIF shared folder with all contents in my mounted folder inside of the LXC container command line. But somehow the app itself of the lXC (in my case plex) does not see subfolders or files inside the mounted folder. I suspect something with the rights is not correct but I am still very much a beginner in Linux and proxmox, I hope someone can help me:
my fstab file on the PVE looks like this:
Code:
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/pve/root / ext4 errors=remount-ro 0 1
UUID=E88B-1FA2 /boot/efi vfat defaults 0 1
/dev/pve/swap none swap sw 0 0
proc /proc proc defaults 0 0

# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)
//192.168.1.37/media /mnt/lxc_shares/nas_rwx cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=XXX,pass=XXX 0 0

# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)
//192.168.1.37/torrents /mnt/lxc_shares/torrents_rwx cifs _netdev,x-systemd.automount,noatime,uid==100000,gid=110000,dir_mode=0770,file_mode=0770,user=XXX,pass=XXX 0 0

the conf file of the container:
Code:
## Plex LXC
arch: amd64
cores: 2
features: nesting=1
hostname: plex
memory: 2048
mp0: /mnt/lxc_shares/nas_rwx/,mp=/mnt/nas
net0: name=eth0,bridge=vmbr0,hwaddr=5A:F2:89:C9:C3:CE,ip=dhcp,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-101-disk-0,size=8G
swap: 512
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
The following I see in the LXC container:
Code:
root@plex:/# groups plex
plex : plex video syslog lxc_shares
root@plex:/# cd mnt/nas
root@plex:/mnt/nas# ls -la
total 4
drwxrwx--- 2 100000 110000    0 May  9 09:35 .
drwxr-xr-x 3 root   root   4096 May 11 09:39 ..
drwxrwx--- 2 100000 110000    0 May  8 15:19 books
drwxrwx--- 2 100000 110000    0 May  8 05:23 movies
drwxrwx--- 2 100000 110000    0 May  7 14:26 tvshows

But if I try to access then these folders in the app the nas folder is empty:
1683805679015.png
 
Last edited:
  • Like
Reactions: eugenechia
hi all, i followed the guide but i'm sure i'm missing something. i have a freshly installed clean lxc container, i installed docker and portainer (image is turnkey), on lxc i created the group and put user root in the group, then i checked the share the pve and it's mounted, and with the user root (on pve and lxc) I can create the folders, now on docker the containers get permission denied when I go to read the data in the volumes that I have mounted. this is the configuration

PVE
Code:
//192.168.1.3/container/datadocker/registrazioni  /media/NAS/frigate  cifs vers=3.0,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,credentials=/home/.cifscreds 0 0
//192.168.1.3/container/datadocker/filedocker  /media/NAS/datadocker  cifs vers=3.0,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,credentials=/home/.cifscreds 0 0

PVE LXC.CONF
Code:
arch: amd64
cores: 2
features: keyctl=1,nesting=1
hostname: datadocker
memory: 2048
mp0: /media/NAS/frigate/,mp=/media/NAS/frigate
mp1: /media/NAS/datadocker/,mp=/media/NAS/datadocker
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.254,hwaddr=22:77:2F:29:55:99,ip=192.168.1.8/24,type=veth
ostype: debian
rootfs: local-lvm:vm-100-disk-0,size=32G
swap: 512
unprivileged: 1

and this the docker-compose
Code:
    prometheus:
      image: prom/prometheus:latest
      container_name: prometheus
      ports:
        - "9090:9090"
      volumes:
        - /media/NAS/datadocker/prometheus/etc/prometheus.yml:/etc/prometheus/prometheus.yml
        - /media/NAS/datadocker/prometheus:/prometheus
      restart: unless-stopped
 
For those of us using Docker in an LXC container, and wish to mount one or more Windows Samba shares -- it seems this tutorial can be further simplified:

Assuming a fairly typical Docker container where UID and PID 1000 are being used, nothing needs to be done in the LXC container other than shutting it down.

As root on the PVE host, create the directories you'd like to mount to Samba shares. I have three to mount, so it looks like this:

Code:
mkdir /mnt/tv_series
mkdir /mnt/movies
mkdir /mnt/backup

These are the same names I used on the system I'm transferring these containers over from, to keep things easy.

Edit /etc/fstab similar to this (with appropriate modifications for your scenario), with your favorite editor -- I like WinSCP for this purpose (and for most PVE admin that can't be done from the WebUI): :)

Code:
//media-server/tv\040series /mnt/tv_series cifs x-systemd.automount,username=User\040Name,password=Password,uid=101000,gid=101000 0 0
//media-server/movies       /mnt/movies    cifs x-systemd.automount,username=User\040Name,password=Password,uid=101000,gid=101000 0 0
//media-server/backup       /mnt/backup    cifs x-systemd.automount,username=User\040Name,password=Password,uid=101000,gid=101000 0 0

Since Windows usernames and shares can have spaces in them -- note that I'm showing how to handle those above using \040 in place of the <space>. UID and PID 101000 on the host get translated to 1000 on the guest. mount -a will reload fstab, and make your shares live, which you can check from the command line or in WinSCP by navigating to your sub-directories under /mnt.

And lastly, the container config file, which in my case is /etc/pve/lxc/105.conf, needs to have lines added similar to these (adapted for your use-case of course):

Code:
mp0: /mnt/tv_series/,mp=/mnt/tv_series
mp1: /mnt/movies/,mp=/mnt/movies
mp3: /mnt/backup/,mp=/mnt/backup

Note that I'm using the same names for the container mount points as I am for the host mounts -- use different names if it suits, but keeping it consistent makes more sense to me. At this point you can startup your LXC container again. By doing it this way, nothing needed to happen with the nine container stack I brought over -- everything just worked as it had previously with Docker running on a Debian 11 bare metal host. The fstab lines above were brought over from my previous install, with only the UID and PID changed and x-systemd.automount added for better persistence.
I love you!
 
Thanks a lot for this awesome Tutorial. I managed to do all steps and see my CIF shared folder with all contents in my mounted folder inside of the LXC container command line. But somehow the app itself of the lXC (in my case plex) does not see subfolders or files inside the mounted folder. I suspect something with the rights is not correct but I am still very much a beginner in Linux and proxmox, I hope someone can help me:
my fstab file on the PVE looks like this:
Code:
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/pve/root / ext4 errors=remount-ro 0 1
UUID=E88B-1FA2 /boot/efi vfat defaults 0 1
/dev/pve/swap none swap sw 0 0
proc /proc proc defaults 0 0

# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)
//192.168.1.37/media /mnt/lxc_shares/nas_rwx cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=XXX,pass=XXX 0 0

# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)
//192.168.1.37/torrents /mnt/lxc_shares/torrents_rwx cifs _netdev,x-systemd.automount,noatime,uid==100000,gid=110000,dir_mode=0770,file_mode=0770,user=XXX,pass=XXX 0 0

the conf file of the container:
Code:
## Plex LXC
arch: amd64
cores: 2
features: nesting=1
hostname: plex
memory: 2048
mp0: /mnt/lxc_shares/nas_rwx/,mp=/mnt/nas
net0: name=eth0,bridge=vmbr0,hwaddr=5A:F2:89:C9:C3:CE,ip=dhcp,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-101-disk-0,size=8G
swap: 512
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
The following I see in the LXC container:
Code:
root@plex:/# groups plex
plex : plex video syslog lxc_shares
root@plex:/# cd mnt/nas
root@plex:/mnt/nas# ls -la
total 4
drwxrwx--- 2 100000 110000    0 May  9 09:35 .
drwxr-xr-x 3 root   root   4096 May 11 09:39 ..
drwxrwx--- 2 100000 110000    0 May  8 15:19 books
drwxrwx--- 2 100000 110000    0 May  8 05:23 movies
drwxrwx--- 2 100000 110000    0 May  7 14:26 tvshows

But if I try to access then these folders in the app the nas folder is empty:
View attachment 50272

Thank you for the post TS ! It really helped me to kickstart my proxmox journey.

I also bumped into the same roadblock where I could not see the subfolders, unless i was using TrueNAS VM, because they had a good integration with Plex plugin. However I was not happy with the fact that its resource heavy. So I opted for Plex LXC and Linux Turn Key FileServer.

For the Plex subfolder issue, my solution was this:

1) In Fileserver LXC, create another share called 'plexmedia' (point it to your plex collection)
2) In Plex LXC, get the uid/gid by typing in 'id plex' (in my case it was 999)
3) In PVE host, create a new mount directory. mkdir /mnt/plexmedia
4) In PVE host, put in additional entry into /etc/fstab on top of what you already setup:
Code:
//NAS/plexmedia/ /mnt/plexmedia cifs _netdev,x-systemd.automount,noatime,uid=999,gid=999,dir_mode=0770,file_mode=0770,user=smb_username,pass=smb_password 0 0
5) In PVE host, do a mount -a
6) In PVE host, add in
Code:
{ echo 'mp0: /mnt/plexmedia/,mp=/mnt/plexmedia' ; } | tee -a /etc/pve/lxc/LXC_ID.conf
where LXC_ID is the corresponding number of your LXC (ie 101, 102 103 etc)
7) reboot Plex LXC

Plex needs either to have ownership of the plex media files or be granted Read & Execute if otherwise. I find it easier to create another mapping and give it ownership.

Hope this helps those who are looking for the solution.
 
Last edited:
Yes sure, just google for "fstab smb/cifs credentials file".

Cool, thanks for that. The SMB/CIFS share I'm connecting to is on my Synology NAS, and I had been using my main/only user for access. Having the login info sitting in plain text in /etc/fstab seemed... wrong ;) After setting up a credentials file, I also added another user 'pve' to my NAS which only has access to that particular shared folder. So if something happens to where the credentials file is compromised/exposed, my whole NAS isn't vulnerable. Yay!

I do wish that the Proxmox folks would make this a little more seamless. Maybe add some options when adding a SMB/CIFS storage in the web gui or via pvesm? Just a thought...
 
I must be doing something wrong when editing fstab, but as a complete noob I am not sure what...

root@host:~# mkdir -p /mnt/lxc_shares/nas_rwx root@host:~# cd .. root@host:/# cd etc root@host:/etc# cd fstab -bash: cd: fstab: Not a directory root@host:/etc# nano fstab root@host:/etc# mount /mnt/lxc_shares/nas_rwx mount: /etc/fstab: parse error at line 6 -- ignored mount: /mnt/lxc_shares/nas_rwx: can't find in /etc/fstab. mount: (hint) your fstab has been modified, but systemd still uses the old version; use 'systemctl daemon-reload' to reload. root@host:/etc# systemctl daemon-reload root@host:/etc# mount /mnt/lxc_shares/nas_rwx mount: /etc/fstab: parse error at line 6 -- ignored mount: /mnt/lxc_shares/nas_rwx: can't find in /etc/fstab. root@host:/etc# ls

Can someone help ?
 
I copy pasted what the tutorial gave :

{ echo '' ; echo '# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)' ; echo '//192.168.1.25/videos/ /mnt/lxc_shares/nas_rwx >

(accounting for my NAS ip), I assumed there might be a formating error ?
 
I copy pasted what the tutorial gave :

Code:
{ echo '' ; echo '# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)' ; echo '//192.168.1.25/videos/ /mnt/lxc_shares/nas_rwx >

It looks like you're missing quite a bit:

Code:
{ echo '' ; echo '# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)' ; echo '//NAS/nas/ /mnt/lxc_shares/nas_rwx cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=smb_username,pass=smb_password 0 0' ; } | tee -a /etc/fstab

You may need to scroll to highlight *all* the text in that box in the tutorial...
 
Last edited:
Indeed, it looked fine in nano...

I redid the steps, still same result...

{ echo '' ; echo '# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)' ; echo '//192.168.1.25/videos/ /mnt/lxc_shares/nas_rwx cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=startide,pass=password 0 0' ; } | tee -a /etc/fstab

Code:
root@host:/etc# mount /mnt/lxc_shares/nas_rwx
mount: /etc/fstab: parse error at line 6 -- ignored
mount: /mnt/lxc_shares/nas_rwx: can't find in /etc/fstab.
 
Dunno, man. Are you *sure* that's line 6? It's more like line 9 or 10 in my /etc/fstab.

There's an error in there somewhere, that wasn't there before you messed with the file, and isn't in mine or others, so it's something on your end.
 
Ah. I see the problem ;)

That part where it says
Code:
{ echo '' ; echo '# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)' ; echo '//NAS/nas/ /mnt/lxc_shares/nas_rwx cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=smb_username,pass=smb_password 0 0' ; } | tee -a /etc/fstab
... is a (very short one-liner) shell script that basically appends the text *into* `/etc/fstab` for you. You were supposed to copy-paste it into the shell terminal, not your editor.

Literally, it prints a blank line (` `), then it prints a line with a comment (`# Mount CIFS share...'), then it prints a third line with the actual fstab entry (`//192.168.1.25/videos/...') to stdout (standard output, and then 'pipes' that (|) to the `tee` command which appends those lines to /etc/fstab.

You can either go in and try to clean up what you have, or just delete everything you added to /etc/fstab, save it and exit back to the command prompt, then paste that command at the prompt and hit <enter>. It should append all the right stuff (a blank line for space, a comment line, and then the actual mount entry line) to the tail of `/etc/fstab`.
 
Last edited:
Thanks a bunch, I feel stupid now cause I wondered at one point if that wasn't my mistake :p

Moving forward to step 3, I can't mount it :

Code:
root@host:/etc# mount /mnt/lxc_shares/nas_rwx
mount error(16): Device or resource busy
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)
 
Moving forward to step 3, I can't mount it :

Code:
root@host:/etc# mount /mnt/lxc_shares/nas_rwx
mount error(16): Device or resource busy
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

Yah... I ran into that tonight. Worked fine last night, but I'd been mucking about and suddenly it didn't. Try unmounting (umount) it, and then remount it using `mount -a` to "mount all".
 
  • Like
Reactions: Startide
just to be clear : when I mount -a I still need to mount /mnt/lxc_shares... or it's already covered ?

edit : tried and it's good :) thanks a lot for the help ! that was most helpful
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!