Unprivileged LXC + LAMP - nextcloudhub - onlyoffice ...

[gusto]

I currently use Proxmox 6.3.-4.
One LXC is used for websites (debian 9 LAMP).
I mainly run nextcloud 17 (wp, joomla, etc.)
Now I would like to install the new LXC debian 10 and nextcloudhub + onlyoffice (I want to cancel the old nextcloud then).
I've read a lot about privileged LXCs being very dangerous.
Now I would like to use a unprivileged LXC, but I'm afraid not everything will work as in a privileged LXC.
I was looking for some comprehensive instructions for the unprivileged LXC - LAMP - Nextcloudhub - Onlyoffice but I couldn't find anything interesting.

I may have searched badly, but is there any quality instructions on how to properly and safely install in an unprivileged LXC LAMP - nextcloudhub ... etc?

thx

 

[oguz]

hi,

I've read a lot about privileged LXCs being very dangerous.
Now I would like to use a unprivileged LXC, but I'm afraid not everything will work as in a privileged LXC.

most things will still work out of the box. my suggestion is just try and if you get stuck somewhere, ask here

 

[gusto]

Thank you very much.
I will start working on it as soon as possible.

 

[gusto]

I installed unprivileged lxc (108) and the last nextcloud including only office. Everything works perfectly.
I am currently using an old nextcloud (privileged lxc 101) see picture. I have a mount dataset in lxc

pct set 101 -mp0 /datapool/nextcloud,mp=/mnt/sdb/nextcloud

Now I did umount from LXC 101
Now I have done umount dataset from LXC 101 and done a mount to LXC 108
I did reboot LXC 101 and 108

pct set 108 -mp0 /datapool/nextcloud,mp=/mnt/sdb/nextcloud

When I look into /mnt/sdb/nextcloud it is empty. I don't know where I'm making a mistake

 

[Dunuin]

Bind-mounting stuff into a unprivileged LXC isn't that easy because users and group get remapped. User with UID 0 (root) inside the LXC is user with uid 100000 on the host. User with UID 1000 in the LXC is user 101000 on the host etc. Everything is mapped from 0-65365 to 100000-165365.
So you need to do manual remapping of users to be able to have rights from inside the LXC to access a folder on the host. Lets say your Nextcloud user inside the LXC is UID 500. Your old Nextcloud folder was owned by UID 500 on the host too. With privileged LXCs that wasn't a problem because there was no remapping and UID 500 inside the LXC was the same user as UID 500 on the host. So you need to rewrite the remapping so UID 500 inside the LXC isn't remapped to UID 100500 on the host but stays at UID 500 instead.
Look here for an example: https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[gusto]

the mount is performed correctly

pct set 108 -mp0 /datapool/nextcloud,mp=/mnt/sdb/nextcloud

arch: amd64
cores: 2
hostname: web-debian-test
memory: 2048
mp0: /datapool/nextcloud,mp=/var/www/nextcloud-data
net0: name=eth0,bridge=vmbr1,gw=192.168.1.1,hwaddr=26:40:D5:E4:61:86,ip=192.168.1.108/24,type=veth
onboot: 1
ostype: debian
rootfs: local-zfs:subvol-108-disk-0,size=16G
swap: 2048
unprivileged: 1

I also read other forum posts. Everyone sees data, but read-only. I don't see any data. If I want to access the directory in MC, it's not possible.
I will do the UID and GID mapping in the second phase. First I would like to solve the mount

 

[Dunuin]

What are the rights of "/datapool/nextcloud" on the host? If chmod is something like 750 then you can't even see anything inside the LXC because only the owner and group are allowed to read it and you aren't part of both anymore.

 

[gusto]

inside lxc

jany@web-debian-test:/var/www$ ls -la
total 26
drwxr-xr-x  4 root   root     4 Jun 23 12:46 .
drwxr-xr-x 12 root   root    14 Jun  7 14:26 ..
drwxr-xr-x  4 root   root     5 Jun  7 15:23 html
drwxrwx---  5 nobody nogroup  9 Jan 16 16:50 nextcloud-data

On the host

root@local-proxmox:~# ls -la /datapool
total 18
drwxr-xr-x  3 root     root      3 Jan  9 11:41 .
drwxr-xr-x 19 root     root     25 Jan  9 11:18 ..
drwxrwx---  5 www-data www-data  9 Jan 16 16:50 nextcloud

 

[Dunuin]

inside lxc

jany@web-debian-test:/var/www$ ls -la
total 26
drwxr-xr-x  4 root   root     4 Jun 23 12:46 .
drwxr-xr-x 12 root   root    14 Jun  7 14:26 ..
drwxr-xr-x  4 root   root     5 Jun  7 15:23 html
drwxrwx---  5 nobody nogroup  9 Jan 16 16:50 nextcloud-data

On the host

root@local-proxmox:~# ls -la /datapool
total 18
drwxr-xr-x  3 root     root      3 Jan  9 11:41 .
drwxr-xr-x 19 root     root     25 Jan  9 11:18 ..
drwxrwx---  5 www-data www-data  9 Jan 16 16:50 nextcloud

Yeah, so the folder is set to chmod 770 what means only the owner and the group is allows to read/write/execute. All other users can't even read it.
"nobody" and "nogroup" aren't www-data so you can't access the folder. So you need to change the remapping and it should work like before.

Look what UID is the user "www-data" (id -u www-data) and what GID the group "www-data" (id -g www-data) is on the host.
Look what UID is the user "www-data" and what GID the group "www-data" is inside the LXC.
Then change the remapping so UID/GID from LXC are mapped to UID/GID of the host.
Then the bind-mounted folder should be owned by user/group "www-data" inside the LXC too and you get no problems accesseing or writing to it.
Because right now you are probably trying to access the folder als UID 100033 but it is owned by UID 33.

 

[gusto]

Thank you very much for your answer.
When I check the GID and UID of the host

id -g www-data
33
id -u www-data
33

inside the LXC

id -g www-data
33
id -u www-data
33

That's all right ?

 

[Dunuin]

That's all right ?

Your LXC is reporting UID 33 but because of the remapping it is UID 100033 in reality from the view of the host.
The folder allows access for the user with UID 33 but because you are accessing it with UID 100033 you have no rights to access it.

So you need to change the remapping this way:
UID 0-32 (LXC) to 100000-1000032 (host).
UID 33 (LXC) to UID 33 (host).
UID 34-65365 (LXC) to 100034-165365 (host).

 

[gusto]

Thank you very much for your answer.
I did the following
In host

nano /etc/pve/lxc/108.conf

I added to the configuration file

mp0: /datapool/nextcloud,mp=/mnt/sdb/nextcloud
lxc.idmap: u 0 100000 33
lxc.idmap: g 0 100000 33
lxc.idmap: u 33 33 1
lxc.idmap: g 33 33 1
lxc.idmap: u 34 100034 65502
lxc.idmap: g 34 100034 65502

nano /etc/subuid

I added to the configuration file

root:33:1

nano /etc/subgid

I added to the configuration file

root:33:1

chown -R 33:33 /datapool/nextcloud

LXC reboot.
Now that I check the result in LXC

ls -la /mnt/sdb
total 10
drwxr-xr-x 3 root     root     3 Jun 26 13:11 .
drwxr-xr-x 3 root     root     3 Jun 26 13:11 ..
drwxr-xr-x 5 www-data www-data 9 Jan 16 16:50 nextcloud

Whether everything is okay.
inside lxc I see /var/www/html (nobody nogroup).
Why?

ls -la /var/www/html
total 35
drwxr-xr-x  4 www-data www-data     5 Jun  7 15:23 .
drwxr-xr-x  4 root     root         4 Jun 23 12:46 ..
-rw-r--r--  1 www-data www-data 10701 Jun  7 14:26 index.html
drwxr-xr-x 13 nobody   nogroup     31 Jun  7 15:02 phpmyadmin
drwxr-xr-x 14 nobody   nogroup     28 Jun 21 16:01 www.nextcloud.info

 

[Dunuin]

I'm not completely sure but a explanation would be that the old www-user inside the LXC was 100033 so all old files/folders created inside the LXC are still owned by UID 100033. But now the www-data user is UID 33 so the old files belong to another user. You might need to chown all files owned by UID 100033 to UID 33.

The command find / -user 100033 should show you all files/folders that are owned by UID 100033.

 

[gusto]

It behaves very strangely
find / -user 100033