In order for the LXC container to have full access the proxmox host directory, a subgid is set as owner of a host directory, and an ACL is used to ensure permissions.
Add the following line to /etc/pve/lxc/<CT_ID>.conf
mp0:/mount/point/on/host,mp=/mount/point/on/lxc
In the default Proxmox configuration, unpriviliged container subgids will have the prefix "10" followed by the expected 4-digit gid.
addgroup --gid <GID (ie."101000")> <GroupName (ie."container-data")>
Any members of -GID- will have "rwx", new files from -GID- have "rwx" default Note: documentation suggests the "-d" flag should be used to assign default, however I have been able to get the desired result without, so... take that as you will
chgrp -R <GroupName> <Dataset>
chmod -R 2775 <Dataset>
setfacl -Rm g:<GID>:rwx,d:g:<GID>:rwx <Dataset>
GID needs to match the last 4 digits of the subgid assigned earlier
addgroup --gid <GID (ie."1000")> <GroupName (ie."container-data")>
usermod -aG <GroupName> <User>
You should now be able to make modifications to the assigned directory on the host system from within the unpriviliged container.
https://blog.felixbrucker.com/2015/10/01/how-to-mount-host-directories-inside-a-proxmox-lxc-container/ https://www.reddit.com/r/homelab/comments/4h0erv/resolving_permissions_issues_with_host_bind/
Thank you for this. It was very helpful in getting my drive written to but, if you can offer some direction, I'm getting some errors with my CT running ZoneMinder.
I was told that maybe my group membership for root has changed because I'm getting:
root@Zoneminder:~# sudo
sudo: unable to set runas group vector: Invalid argument
sudo: /bin/bash: Invalid argument
I'm also getting this:
root@Zoneminder:/# journalctl -xeu zoneminder.service
-- The job identifier is 37174.
Jul 17 17:04:55 Zoneminder sudo[4698]: root : true : Invalid argument ; PWD=/usr/share/zoneminder/www ; USER=www-data ; COMMAND=true
Jul 17 17:04:55 Zoneminder su[4700]: (to www-data) root on none
Jul 17 17:04:55 Zoneminder su[4700]: pam_unix(su:session): session opened for user www-data(uid=33) by (uid=0)
Jul 17 17:04:55 Zoneminder su[4700]: pam_unix(su:session): session closed for user www-data
Jul 17 17:04:55 Zoneminder su[4703]: (to www-data) root on none
Jul 17 17:04:55 Zoneminder su[4703]: pam_unix(su:session): session opened for user www-data(uid=33) by (uid=0)
Jul 17 17:04:55 Zoneminder su[4703]: pam_unix(su:session): session closed for user www-data
Jul 17 17:04:55 Zoneminder systemd[1]: zoneminder.service: Control process exited, code=exited, status=1/FAILURE
-- Subject: Unit process exited
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- An ExecStart= process belonging to unit zoneminder.service has exited.
-- The process' exit code is 'exited' and its exit status is 1.
Jul 17 17:04:55 Zoneminder systemd[1]: zoneminder.service: Failed with result 'exit-code'.
-- Subject: Unit failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
-- The unit zoneminder.service has entered the 'failed' state with result 'exit-code'.
Jul 17 17:04:55 Zoneminder systemd[1]: Failed to start ZoneMinder CCTV recording and surveillance system.
For ZoneMinder, storage is supposed to be www-data:www-data. I'm getting:
root@Zoneminder:/mnt# ls -la
total 16
drwxr-xr-x 3 root root 3 Jul 17 14:36 .
drwxr-xr-x 17 root root 23 Jul 19 09:59 ..
drwxrwsr-x+ 4 nobody 1111 4096 Jul 17 16:04 ZoneStorage
root@Zoneminder:/mnt/ZoneStorage# ls -la
total 33
drwxrwsr-x+ 4 nobody 1111 4096 Jul 17 16:04 .
drwxr-xr-x 3 root root 3 Jul 17 14:36 ..
drwxrwsr-x+ 3 www-data 1111 4096 Jul 17 16:04 1
drwxrwsr-x+ 2 nobody 1111 16384 Jul 17 11:06 lost+found
Not sure is this offers insight:
root@Zoneminder:~# pwck
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
user 'list': directory '/var/list' does not exist
user 'irc': directory '/run/ircd' does not exist
user 'gnats': directory '/var/lib/gnats' does not exist
user 'nobody': directory '/nonexistent' does not exist
user 'messagebus': directory '/nonexistent' does not exist
I'm still learning and uid's and gid's can be overwhelming to me, but if you can offer some direction I'd highly appreciate it.