Skip to content

Instantly share code, notes, and snippets.

@ajmassi
Last active September 26, 2024 19:00
Show Gist options
  • Save ajmassi/e6862294d114467b46f9b7f073921352 to your computer and use it in GitHub Desktop.
Save ajmassi/e6862294d114467b46f9b7f073921352 to your computer and use it in GitHub Desktop.
Create a bind mount from a Proxmox host on an unprivileged lxc container

Proxmox Assign Bind Mount To Unprivileged Container

In order for the LXC container to have full access the proxmox host directory, a subgid is set as owner of a host directory, and an ACL is used to ensure permissions.

Bind Mount dataset to LXC

Add the following line to /etc/pve/lxc/<CT_ID>.conf

mp0:/mount/point/on/host,mp=/mount/point/on/lxc

Create group on host

In the default Proxmox configuration, unpriviliged container subgids will have the prefix "10" followed by the expected 4-digit gid.

addgroup --gid <GID (ie."101000")> <GroupName (ie."container-data")>

Set ACL for shared dataset

Any members of -GID- will have "rwx", new files from -GID- have "rwx" default Note: documentation suggests the "-d" flag should be used to assign default, however I have been able to get the desired result without, so... take that as you will

chgrp -R <GroupName> <Dataset>
chmod -R 2775 <Dataset>
setfacl -Rm g:<GID>:rwx,d:g:<GID>:rwx <Dataset>

Inside your LXC container

Create group

GID needs to match the last 4 digits of the subgid assigned earlier

addgroup --gid <GID (ie."1000")> <GroupName (ie."container-data")>

Add users to new permitted group

usermod -aG <GroupName> <User>

You should now be able to make modifications to the assigned directory on the host system from within the unpriviliged container.


References

https://blog.felixbrucker.com/2015/10/01/how-to-mount-host-directories-inside-a-proxmox-lxc-container/ https://www.reddit.com/r/homelab/comments/4h0erv/resolving_permissions_issues_with_host_bind/

@hisakiyo
Copy link

Thanks, very useful

@oshlom
Copy link

oshlom commented Jul 31, 2022

Thank you
I found this useful as well

@oldercodergithub
Copy link

unfortunatelly not worked for me. still getting permission error.

@BassT23
Copy link

BassT23 commented Jun 11, 2023

work for me (pve 7.4)
thx

@jeroenbeuz
Copy link

Thanks for this! Works perfectly

@rkraken
Copy link

rkraken commented Nov 9, 2023

Thanks! I wasn't familiar with setfacl so I learned something. Couldn't the last command be simplified, given that chmod was already performed?

setfacl -Rm d:g::rwx

@pablomujica
Copy link

Thanks! been going through everything, mapping LXC users UID, but this did it.

The only note I have is that setfacl wasnt installed on my 7.4-3 host. To install it:
apt install acl

@Weyla
Copy link

Weyla commented Dec 3, 2023

This guide made setting up my plex and torrent lxc very quick. Thanks!

@fl3usner
Copy link

fl3usner commented Jan 4, 2024

Thanks mate, helped me a lot! Didn't work for me first, had to reboot the lxc first. Since then, flawless ;)

@docop
Copy link

docop commented Jun 26, 2024

Hi i am still unsure about the id .. and what is dataset.. Do you have an example of usage for mounting a folder for limited acces user to an lxc ?
thanks again

@pablomujica
Copy link

Hi i am still unsure about the id .. and what is dataset.. Do you have an example of usage for mounting a folder for limited acces user to an lxc ? thanks again

GID is the group's ID, and the dataset is the folder you're trying to share. The group ID is something that you decide when creating it here .

example on the Proxmox host:

addgroup --gid 101111 GROUP-NAME

example on the lxc container:

addgroup --gid 1111 GROUP-NAME

where the last 4 digits of the host's group have to match the id for the group in the container.

@KrzysztofKovic
Copy link

Thank you for this. It was very helpful in getting my drive written to but, if you can offer some direction, I'm getting some errors with my CT running ZoneMinder.

I was told that maybe my group membership for root has changed because I'm getting:

root@Zoneminder:~# sudo
sudo: unable to set runas group vector: Invalid argument
sudo: /bin/bash: Invalid argument

I'm also getting this:

root@Zoneminder:/# journalctl -xeu zoneminder.service
-- The job identifier is 37174.
Jul 17 17:04:55 Zoneminder sudo[4698]: root : true : Invalid argument ; PWD=/usr/share/zoneminder/www ; USER=www-data ; COMMAND=true
Jul 17 17:04:55 Zoneminder su[4700]: (to www-data) root on none
Jul 17 17:04:55 Zoneminder su[4700]: pam_unix(su:session): session opened for user www-data(uid=33) by (uid=0)
Jul 17 17:04:55 Zoneminder su[4700]: pam_unix(su:session): session closed for user www-data
Jul 17 17:04:55 Zoneminder su[4703]: (to www-data) root on none
Jul 17 17:04:55 Zoneminder su[4703]: pam_unix(su:session): session opened for user www-data(uid=33) by (uid=0)
Jul 17 17:04:55 Zoneminder su[4703]: pam_unix(su:session): session closed for user www-data
Jul 17 17:04:55 Zoneminder systemd[1]: zoneminder.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- An ExecStart= process belonging to unit zoneminder.service has exited.
-- The process' exit code is 'exited' and its exit status is 1.
Jul 17 17:04:55 Zoneminder systemd[1]: zoneminder.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- The unit zoneminder.service has entered the 'failed' state with result 'exit-code'.
Jul 17 17:04:55 Zoneminder systemd[1]: Failed to start ZoneMinder CCTV recording and surveillance system.

For ZoneMinder, storage is supposed to be www-data:www-data. I'm getting:

root@Zoneminder:/mnt# ls -la
total 16
drwxr-xr-x 3 root root 3 Jul 17 14:36 .
drwxr-xr-x 17 root root 23 Jul 19 09:59 ..
drwxrwsr-x+ 4 nobody 1111 4096 Jul 17 16:04 ZoneStorage

root@Zoneminder:/mnt/ZoneStorage# ls -la
total 33
drwxrwsr-x+ 4 nobody 1111 4096 Jul 17 16:04 .
drwxr-xr-x 3 root root 3 Jul 17 14:36 ..
drwxrwsr-x+ 3 www-data 1111 4096 Jul 17 16:04 1
drwxrwsr-x+ 2 nobody 1111 16384 Jul 17 11:06 lost+found

Not sure is this offers insight:

root@Zoneminder:~# pwck
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
user 'list': directory '/var/list' does not exist
user 'irc': directory '/run/ircd' does not exist
user 'gnats': directory '/var/lib/gnats' does not exist
user 'nobody': directory '/nonexistent' does not exist
user 'messagebus': directory '/nonexistent' does not exist

I'm still learning and uid's and gid's can be overwhelming to me, but if you can offer some direction I'd highly appreciate it.

@djongepier
Copy link

Great write up! Works like a charm. Thank you very much.

@luispabon
Copy link

luispabon commented Sep 23, 2024

If you're using ZFS on proxmox on the bindmount and you're getting operation not supported on the setfactl command, you additionally need to:

zfs set acltype=posixacl my/dataset

Then reboot. Rebooting (or potentially re-mounting the dataset) ensures the acl type actually becomes active.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment