Skip to content

Instantly share code, notes, and snippets.

@ajmassi
Last active September 26, 2024 19:00
Show Gist options
  • Save ajmassi/e6862294d114467b46f9b7f073921352 to your computer and use it in GitHub Desktop.
Save ajmassi/e6862294d114467b46f9b7f073921352 to your computer and use it in GitHub Desktop.
Create a bind mount from a Proxmox host on an unprivileged lxc container

Proxmox Assign Bind Mount To Unprivileged Container

In order for the LXC container to have full access the proxmox host directory, a subgid is set as owner of a host directory, and an ACL is used to ensure permissions.

Bind Mount dataset to LXC

Add the following line to /etc/pve/lxc/<CT_ID>.conf

mp0:/mount/point/on/host,mp=/mount/point/on/lxc

Create group on host

In the default Proxmox configuration, unpriviliged container subgids will have the prefix "10" followed by the expected 4-digit gid.

addgroup --gid <GID (ie."101000")> <GroupName (ie."container-data")>

Set ACL for shared dataset

Any members of -GID- will have "rwx", new files from -GID- have "rwx" default Note: documentation suggests the "-d" flag should be used to assign default, however I have been able to get the desired result without, so... take that as you will

chgrp -R <GroupName> <Dataset>
chmod -R 2775 <Dataset>
setfacl -Rm g:<GID>:rwx,d:g:<GID>:rwx <Dataset>

Inside your LXC container

Create group

GID needs to match the last 4 digits of the subgid assigned earlier

addgroup --gid <GID (ie."1000")> <GroupName (ie."container-data")>

Add users to new permitted group

usermod -aG <GroupName> <User>

You should now be able to make modifications to the assigned directory on the host system from within the unpriviliged container.


References

https://blog.felixbrucker.com/2015/10/01/how-to-mount-host-directories-inside-a-proxmox-lxc-container/ https://www.reddit.com/r/homelab/comments/4h0erv/resolving_permissions_issues_with_host_bind/

@djongepier
Copy link

Great write up! Works like a charm. Thank you very much.

@luispabon
Copy link

luispabon commented Sep 23, 2024

If you're using ZFS on proxmox on the bindmount and you're getting operation not supported on the setfactl command, you additionally need to:

zfs set acltype=posixacl my/dataset

Then reboot. Rebooting (or potentially re-mounting the dataset) ensures the acl type actually becomes active.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment