Exposing a directory on the host machine to an LXC container #blog

expose-directory-on-host-to-lxc-container.md

Exposing a directory on the host machine to an LXC container

1. Log into the container and create an empty directory, this will be the mount point
2. Log out and stop the container.
3. Open to your container's config file
   • For regular LXC containers: /var/lib/lxc/mycontainer/config
   • For unprivileged LXC containers: $HOME/.local/share/lxc/mycontainer/config
4. Add a new line above the lxc.mount directive, that follows the format below. Substitute proper paths as necessary:
   • lxc.mount.entry = /path/to/folder/on/host /path/to/mount/point none bind 0 0
   • Both of these paths are relative to the host machine.
   • Location of the root fs in the container can be found at:
     • For regular LXC containers: /var/lib/lxc/mycontainer/rootfs/
     • For unprivileged LXC containers: $HOME/.local/share/lxc/mycontainer/rootfs

Note: If the host's user does not exist in the container, the container will still be mounted, but with nobody:nogroup as the owner. This may not be a problem unless you need to write to these files, in which case you'll need to give everybody write permission to that folder. (i.e. chmod -R go+w /folder/to/share)

Example

I want to share /home/julianlam/foobar to my unprivileged container bazquux. In bazquux, I want this folder to be found at /mnt/baz.

In the container:

$ cd /mnt
$ sudo mkdir baz
$ logout

In the host, I will add the following line above lxc-mount in /home/julianlam/.local/share/lxc/bazquux/config:

lxc.mount.entry = /home/julianlam/foobar /home/julian/.local/share/lxc/bazquux/rootfs/mnt/baz none bind 0 0

Then

$ lxc-start -n bazquux -d

Further Reading

• https://wiki.debian.org/LXC

In Proxmox you must edit the config files in /etc/pve/lxc to make any changes persist during reboots:

root@pve:/etc/pve/lxc# ls
100.conf 102.conf 103.conf 106.conf 107.conf

On LXC 3.0.3 (Ubuntu 16.04), this guide seems to work perfectly, but the mount point must be given as a relative path for the container. This is what the Debian wiki recommends.

So the line in the example above should be instead:
lxc.mount.entry = /home/julianlam/foobar baz none bind 0 0

i prefer using command line '__')

lxc config device add CONTA1 shareddir1 disk path=/root/test1 source=/home/`whoami`/test1

this will mount /home/whoami/test1 to container's /root/test1

@kokizzu, you are talking about LXD (which provides also lxc command). But it is about LXC, so commands are lxc-*.
LXC has no command for mounting, from what I know.

Been trying a number of recommendation and finally found @kokizzu example, which worked. Written it below a little more explicitly so I can recall and understand.

Permissions in the container are an issue, but at least I can see the file created in the host.

lxc config device add YourLxcContainersName sharename disk path=/home/hosts/share source="/home/lxcshare" Used parens as the path had a space.

@kokizzu's command works well, but I also wanted to be able to write those files. For that I had to specify a custom idmap:

lxc config set MyContainer raw.idmap "both 1000 1000"
lxc restart MyContainer

This maps uid 1000 on the host to uid 1000 inside the container.

@kokizzu's command works well, but I also wanted to be able to write those files. For that I had to specify a custom idmap:

lxc config set MyContainer raw.idmap "both 1000 1000"
lxc restart MyContainer

This maps uid 1000 on the host to uid 1000 inside the container.

I think your container is then tending towards "priveleged" - less secure.

or unprivileged containers, since root in the container does not map to UID 0 in the host system, a container breakout is still serious, but not as damaging as it is for a privileged container. There is also a mode where each LXD container in a system will have its own non-overlapping UID and GID ranges in the host, which limits the damage even further. Any breakout will result in a process with a UID and GID that is not shared with any other process in any other container (or the host system itself).

https://lwn.net/Articles/796700/

It works perfectly, Thanks!!