[TUTORIAL] Tutorial: Unprivileged LXCs - Mount CIFS shares

Nope. `mount -a` should mount everything listed in /etc/fstab (as I understand it). Assuming it doesn't spit any errors back, you can confirm that it mounted correctly by doing a quick 'ls' of the folder.
 
  • Like
Reactions: Startide
Another simpler way is to mount the share at the point you want it on the lxc disk from the host.
Seem to be a lot more responsive too.
You follow the first few step and instead of creating a mp in the lxc, just make the fstab mount point something like:
/zfs10-pool/subvol-106-disk-0/srv/nas-share
Once it's mounted the lxc sees it immediately and it can be mounted and unmounted from the host without restarting the container.
Just make sure permissions on the folder are right in the lxc and the share. eg fstab line:
ggldrive: /zfs10-pool/subvol-103-disk-0/srv/storage/ggldrive/ rclone noauto,rw,args2env,allow_other,gid=100100,uid=101000,file_perms=0660,dir_perms=0770,config=/root/.config/rclone/rclone.conf,vfs_cache_mode=full,cache_dir=/var/cache/rclone/ggldrive 0 0
 
Excellent guide! Thank you so much!

This worked well for me running a domain setup. Here are my particulars:
  • Running TrueNas Scale in a VM
  • Active Directory Domain - you must use an AD account for CIFS shares. Leave it wide open in Truenas and manage access in AD.
  • fstab must include domain info. Easiest to use a separate file. fstab line option: "credentials=/location/filename". I placed it in /root/
    • Credentials file needs 3 lines:
      • username=<username>
      • password=<password>
      • domain=<domain-name>
  • I am running Docker/Portainer in 1 of my containers. Make sure you set the ENV PGID=10000 (to make the setup)
Cheers!
 
Last edited:
Kodey said:
Another simpler way is to mount the share at the point you want it on the lxc disk from the host.
Seem to be a lot more responsive too.
You follow the first few step and instead of creating a mp in the lxc, just make the fstab mount point something like:
/zfs10-pool/subvol-106-disk-0/srv/nas-share
Once it's mounted the lxc sees it immediately and it can be mounted and unmounted from the host without restarting the container.
Just make sure permissions on the folder are right in the lxc and the share. eg fstab line:
ggldrive: /zfs10-pool/subvol-103-disk-0/srv/storage/ggldrive/ rclone noauto,rw,args2env,allow_other,gid=100100,uid=101000,file_perms=0660,dir_perms=0770,config=/root/.config/rclone/rclone.conf,vfs_cache_mode=full,cache_dir=/var/cache/rclone/ggldrive 0 0
Click to expand...
Can you elaborate a bit more on this and give a minimal working example for a CIFS share (step by step)?
I understood some aspects of it but not all.
 
@TheHellSite, it's really very simple. No need for complex steps.
Just mount your cifs share the same way you normally do, but mount it under the lxc disk.
That share is then visible from the container and can be accessed as if it was part of the guest filesystem.
eg:
host # mount -t cifs -o username=<win_share_user> //WIN_SHARE_IP/<share_name> /zfs10-pool/subvol-103-disk-0/srv/<share_name>
guest # ls /srv/<share_name>
windows_files

I'm actually mounting several cloud storage devices at that location and resharing them with the guest as a windows samba server so the whole network can access those cloud storage systems with a single windows share
 
Kodey said:
@TheHellSite, it's really very simple. No need for complex steps.
Just mount your cifs share the same way you normally do, but mount it under the lxc disk.
That share is then visible from the container and can be accessed as if it was part of the guest filesystem.
eg:
host # mount -t cifs -o username=<win_share_user> //WIN_SHARE_IP/<share_name> /zfs10-pool/subvol-103-disk-0/srv/<share_name>
guest # ls /srv/<share_name>
windows_files

I'm actually mounting several cloud storage devices at that location and resharing them with the guest as a windows samba server so the whole network can access those cloud storage systems with a single windows share
Click to expand...
Okay, I understand. Very clever indeed. However this will only work if your LXCs are stored on a ZFS/BTRFS volume.
Therefore I still prefer my solution since it works with any type of storage.
 
Last edited:
I haven't tested it with any other storage types, but I don't see how it wouldn't apply.
Any storage which can be mounted on the host should work.
What makes you so sure it only applies to those storage types?
 
I think that many people, including me, are using ext4 (Directory) as type for their VM/LXC storage.
Why? Because ZFS on consumer grade SSDs tends to cause problems due to the lack of available cache.

Your solution makes use of a feature called "subvolumes" that not all filesystems support (f.e. ext4).
 
Last edited:
TheHellSite said:
I think that many people, including me, are using ext4 (Directory) as type for their VM/LXC storage.
Why? Because ZFS on consumer grade SSDs tends to cause problems due to the lack of available cache.

Your solution makes use of a feature called "subvolumes" that not all filesystems support (f.e. ext4).
Click to expand...
If you are refering to subvol names in the path , this has nothing to do with ZFS, it is the usual path of a lxc container location seen from the host.

My 0.2 cents.
 
I've tried this tutorial and followed the steps. I can see the remote share with 'ls /mnt/lxc_shares/nas_rwx/'. Have also created the group, added the lxc user and the 100.conf has the mp0 entry, generated from the command.
But when I start the lxc, 'ls /mnt' is empty. Is there something more necessary in the container?

edit:
I have tried now in another lxc and it works. The difference that I see is that the not working lxc has some snapshots and the mp is added to the last. But this looks ok?

edit2:
ok it works, I have moved the mp0 entry to the first block in the 100.conf file.

thanks, Johannes
 
Last edited:
maybe it has changed in the meantime, but the mp:0 -> mp syntay in the lxc container config does not work anymore. The share folder is empty. What works is this syntax:

lxc.mount.entry = /mnt/newdir /var/lib/lxc/mycontainer/rootfs/mnt/newdir none bind 0 0
 
This is exactly what I've been trying to find for my plex container.

I can currently Filezilla FTP into the host and drop files into the mount point for my unprivileged lxc container to access. However, I feel this is... not best practice?

So I would like to share the lxc mount point folder via my network so I can access it anywhere and drop files in as needed. I did what you have above and everything seems to have gone through OK. (I added root instead of making a new user... don't know how lol). But when I try to access it in say windows 10 - \\192.168.2.42\mnt\plex, where this is the ip of my plex container, it says it can't find it. When a "media_library" folder should pop up.
 
Last edited:
Hello there,
first of all: Thanks for this tutorial! It helped me to configure a paperless-ngx LXC in a way that all documents are stored on a NAS within my network.

There is one thing I haven't figured out, yet. When I try to migrate the LXC from one node to another the process gets aborted:
2023-12-09 19:44:08 shutdown CT 106
2023-12-09 19:44:10 starting migration of CT 106 to node 'pve1' (172.21.0.10)
2023-12-09 19:44:10 ignoring shared 'bind' mount point 'mp0' ('/mnt/lxc_shares/nas_rwx/')
2023-12-09 19:44:10 found local volume 'vmpool:subvol-106-disk-0' (in current VM config)
2023-12-09 19:44:10 start replication job
2023-12-09 19:44:10 end replication job with error: unable to replicate mountpoint type 'bind'
2023-12-09 19:44:10 ERROR: unable to replicate mountpoint type 'bind'
Click to expand...

As a workaround I can remove the bind mount before migration an add it again afterwards. But thats only an option when migrating manually. My goal is to add this LXC to HA live migration.

Is there something I'm missing?


Update / Solution:
As the official documentation states you can exclude mount points from replication by setting 'replicate=0'. After adjusting my LXC_ID.conf accordingly everything went fine.

Here is my final mount:
Code: 
mp0: /mnt/share/ds718/paperless-ngx/,mp=/mnt/nas,replicate=0,shared=1
 
Last edited:
I have a major problem; I had Plex installed under Proxmox and Debian container as LXC.
Previously, I used to mount the SMB shares using this command:
'mount -t cifs -o rw,vers=3.0,credentials=/root/.smbcredentials //192.168.178.86/j /mnt/j.' in LXE Host
However, the share arrived in the Plex LXC container with the user group 'nobody/nogroup.'
This allowed me to at least read files in Plex (media library).
Now, for the future and to have write permissions on the SMB shares, I followed this guide and implemented the shares in fstab.
The strange thing is, the /mnt shares are correctly mounted and displayed in the command line on container 107 in Plex LXC.
But as soon as I start Plex and try to add the drives as Media Library for movies, I cannot see any files or folders.
I always bypassed the shares to the respective container under Proxmox, for example: 'pct set 107 -mp0 /mnt/j,mp=/mnt/j.'
Could it be that Plex was installed under a different user?
Is it possible to change the user rights of Plex or the container so that I can see files within the program itself?
I don't understand exactly what I did wrong.
this is 107.conf:
Code: 
arch: amd64
cores: 4
features: nesting=1
hostname: pPlex
memory: 4096
mp0: /mnt/lxc_shares/e,mp=/mnt/e
mp1: /mnt/lxc_shares/f,mp=/mnt/f
mp2: /mnt/lxc_shares/g,mp=/mnt/g
mp3: /mnt/lxc_shares/h,mp=/mnt/h
mp4: /mnt/lxc_shares/i,mp=/mnt/i
mp5: /mnt/lxc_shares/j,mp=/mnt/j
mp6: /mnt/lxc_shares/e,mp=/mnt/lxc_shares/e,shared=1
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:52:57:C6,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-107-disk-0,size=8G
swap: 4096
unprivileged: 1

this is fstab:
Code: 
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/pve/root / ext4 errors=remount-ro 0 1
UUID=F2E8-1C20 /boot/efi vfat defaults 0 1
/dev/pve/swap none swap sw 0 0
proc /proc proc defaults 0 0

# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)
#//192.168.178.86/e/ /mnt/lxc_shares/e cifs _netdev,x-systemd.automount,noatime,uid=10000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0

//192.168.178.86/e/ /mnt/lxc_shares/e cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/f/ /mnt/lxc_shares/f cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/g/ /mnt/lxc_shares/g cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/h/ /mnt/lxc_shares/h cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/i/ /mnt/lxc_shares/i cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/j/ /mnt/lxc_shares/j cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/ebooks/ /mnt/lxc_shares/ebooks cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/music/ /mnt/lxc_shares/music cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
 
Last edited:
Just to be sure: There's no way to do this from within an unprivileged LXC container (e.g. when when a docker-compose file references a cifs share as volume, running on docker inside the container)?
 
Would this work with 1) a share from a VM on the same machine as the unprivileged LXC?, and 2) an NFS instead of CIFS share?
 
derbaer said:
I have a major problem; I had Plex installed under Proxmox and Debian container as LXC.
Previously, I used to mount the SMB shares using this command:
'mount -t cifs -o rw,vers=3.0,credentials=/root/.smbcredentials //192.168.178.86/j /mnt/j.' in LXE Host
However, the share arrived in the Plex LXC container with the user group 'nobody/nogroup.'
This allowed me to at least read files in Plex (media library).
Now, for the future and to have write permissions on the SMB shares, I followed this guide and implemented the shares in fstab.
The strange thing is, the /mnt shares are correctly mounted and displayed in the command line on container 107 in Plex LXC.
But as soon as I start Plex and try to add the drives as Media Library for movies, I cannot see any files or folders.
I always bypassed the shares to the respective container under Proxmox, for example: 'pct set 107 -mp0 /mnt/j,mp=/mnt/j.'
Could it be that Plex was installed under a different user?
Is it possible to change the user rights of Plex or the container so that I can see files within the program itself?
I don't understand exactly what I did wrong.
this is 107.conf:
Code: 
arch: amd64
cores: 4
features: nesting=1
hostname: pPlex
memory: 4096
mp0: /mnt/lxc_shares/e,mp=/mnt/e
mp1: /mnt/lxc_shares/f,mp=/mnt/f
mp2: /mnt/lxc_shares/g,mp=/mnt/g
mp3: /mnt/lxc_shares/h,mp=/mnt/h
mp4: /mnt/lxc_shares/i,mp=/mnt/i
mp5: /mnt/lxc_shares/j,mp=/mnt/j
mp6: /mnt/lxc_shares/e,mp=/mnt/lxc_shares/e,shared=1
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=BC:24:11:52:57:C6,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-107-disk-0,size=8G
swap: 4096
unprivileged: 1

this is fstab:
Code: 
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/pve/root / ext4 errors=remount-ro 0 1
UUID=F2E8-1C20 /boot/efi vfat defaults 0 1
/dev/pve/swap none swap sw 0 0
proc /proc proc defaults 0 0

# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)
#//192.168.178.86/e/ /mnt/lxc_shares/e cifs _netdev,x-systemd.automount,noatime,uid=10000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0

//192.168.178.86/e/ /mnt/lxc_shares/e cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/f/ /mnt/lxc_shares/f cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/g/ /mnt/lxc_shares/g cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/h/ /mnt/lxc_shares/h cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/i/ /mnt/lxc_shares/i cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/j/ /mnt/lxc_shares/j cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/ebooks/ /mnt/lxc_shares/ebooks cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
//192.168.178.86/music/ /mnt/lxc_shares/music cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=Administ,pass=pass 0 0
Click to expand...
I ran into this same issue. It's a permissions issue and I fixed it with (change dir_mode and file_mode) :
Code: 
{ echo '' ; echo '# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)' ; echo '//NAS/nas/ /mnt/lxc_shares/nas_rwx cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0777,file_mode=0774,user=smb_username,pass=smb_password 0 0' ; } | tee -a /etc/fstab


Note that I didn't say the way I fixed it is the best/most secure way. Just that plex can see the subfolders now.
 
Thank you for the tutorial and I appreciate everyone's discussion here. I would like to make my LXC 'migratable' around my cluster.
My question: Is there a reason not to bind the mount point created when adding a SMB/CIFS share to the datacenter storage? This looks like it is automatically mounted under /mnt/pve on all hosts that the storage is assigned to. Looking at the reply below as a starting point.
argylesocks said:
Thanks for this post, extremely helpful!

One minor addition, adding ",shared=1" to the end of the bind mount line in /etc/pve/lxc/LXC_ID.conf will enable that container to be migrated across Proxmox nodes. It basically tells Proxmox to ignore the bind mounts, and without it will refuse to migrate. Of course if you don't have those CIFS mounts on the target node, I expect something would go poorly, but I didn't test that-- with the same CIFS mounts on every node it works perfectly.
Click to expand...
 
Hi, thanks for this tutorial, I followed it and was able to mount my OMV NAS within my plex container. I can see all of the files mounted under /mnt/nas. However withinm Plex the files don't show up. What could be the issue?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back