Create a bind mount from a Proxmox host on an unprivileged lxc container

Proxmox Assign Bind Mount To Unprivileged Container

In order for the LXC container to have full access the proxmox host directory, a subgid is set as owner of a host directory, and an ACL is used to ensure permissions.

Bind Mount dataset to LXC

Add the following line to /etc/pve/lxc/<CT_ID>.conf


Create group on host

In the default Proxmox configuration, unpriviliged container subgids will have the prefix "10" followed by the expected 4-digit gid.

addgroup --gid <GID (ie."101000")> <GroupName (ie."container-data")>

Set ACL for shared dataset

Any members of -GID- will have "rwx", new files from -GID- have "rwx" default Note: documentation suggests the "-d" flag should be used to assign default, however I have been able to get the desired result without, so... take that as you will

chgrp -R <GroupName> <Dataset>
chmod -R 2775 <Dataset>
setfacl -Rm g:<GID>:rwx,d:g:<GID>:rwx <Dataset>

Inside your LXC container

Create group

GID needs to match the last 4 digits of the subgid assigned earlier

addgroup --gid <GID (ie."1000")> <GroupName (ie."container-data")>

Add users to new permitted group

usermod -aG <GroupName> <User>

You should now be able to make modifications to the assigned directory on the host system from within the unpriviliged container.


BassT23 commented Jun 11, 2023

work for me (pve 7.4)

Thanks for this! Works perfectly

rkraken commented Nov 9, 2023

Thanks! I wasn't familiar with setfacl so I learned something. Couldn't the last command be simplified, given that chmod was already performed?

setfacl -Rm d:g::rwx

Thanks! been going through everything, mapping LXC users UID, but this did it.

The only note I have is that setfacl wasnt installed on my 7.4-3 host. To install it:
apt install acl

Weyla commented Dec 3, 2023

This guide made setting up my plex and torrent lxc very quick. Thanks!

fl3usner commented Jan 4, 2024

Thanks mate, helped me a lot! Didn't work for me first, had to reboot the lxc first. Since then, flawless ;)

