weird mount permissions

M

mihaib

New Member
Oct 10, 2024
22
1
3
Amsterdam
Hi all,
I am running 8.4.0 and I just reinstalled one LXE.
I used the same mount line in the lxe config file under /etc/pve/lxe/***.conf
mp0: /mnt/pve/Media/,mp=/media/

I did the same with this new lxe. the mount works, but the permissions are messed up:
root@Radarr:~# ls -la /media/
total 24
drwxr-xr-x 2 nobody nogroup 0 Jun 13 19:08 .
drwxr-xr-x 18 root root 4096 Jun 20 18:28 ..
drwxr-xr-x 2 nobody nogroup 0 Dec 11 2024 AudioBooks
drwxr-xr-x 2 nobody nogroup 0 Jan 19 23:31 Books
drwxr-xr-x 2 nobody nogroup 0 Jan 19 00:42 Concerte
drwxr-xr-x 2 nobody nogroup 0 Feb 22 13:25 Desene

any idea why this happens?
thank you
 
This happens because of the way unprivileged LXC's handle user namespaces in Proxmox.

So basically, host files owned by 1000, container looking for 101000, 1000 doesn't exist. A bit more detailed...

When you make an unprivileged LXC, the below happens
Code: 
Host UID 0 (root)        -> Container UID 100000
Host UID 1000 (user)    -> Container UID 101000
Host UID 2369            -> Cpntainer UID 102369

When you mount it into the container..
Code: 
# host side
ls -la /mnt/pve/Media/
drwxr-xr-x 2 user1 user1 4096 Jun 20 10:00 Stuff  # UID 1000

# Inside container
ls -la /media/
drwxr-xr-x 2 nobody nogroup 0 Jun 13 19:08 Stuff  # Unmaped UID



You have a few options, some of which are..

- Add UID and GID Mapping to the appropriate lxc.conf, something like below.
*Slightly more effort but best balance
Code: 
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101001 64535
lxc.idmap: g 1001 101001 64535

- Use bind mount options, something like..
*Easy but not typically recommended for prod, if it's your own single use instance this is ok
mp0: /mnt/pve/Media/,mp=/media/,uid=1000,gid=1000


- Make the container privileged
*Probably the "easiest" but introduces a lot of security gaps
Would require a backup/restore as privileged
 
  • Like
Reactions: leesteken
You can also change the file owners/groups on the Proxmox host to match the unprivileged LXC container with something like chown -R 101000:101000 /mnt/pve/Media if you are fine with all files having the same owner.
 
  • Like
Reactions: sva
You must log in or register to reply here.
Top Bottom