Skip to content

Instantly share code, notes, and snippets.

@JSinghDev

JSinghDev/LXCBindMount.md

Forked from ajmassi/LXCBindMount.md
Last active October 19, 2024 13:44
Show Gist options
  • Save JSinghDev/10e0824580a84a56022153592ac64faa to your computer and use it in GitHub Desktop.
Save JSinghDev/10e0824580a84a56022153592ac64faa to your computer and use it in GitHub Desktop.
Download ZIP
Create a bind mount from a Proxmox host on an unprivileged lxc container
Raw
LXCBindMount.md

Proxmox Assign Bind Mount To Unprivileged Container

In order for the LXC container to have full access the proxmox host directory, a subgid is set as owner of a host directory, and an ACL is used to ensure permissions.

Bind Mount dataset to LXC

Add the following line to /etc/pve/lxc/<CT_ID>.conf

mp0:/mount/point/on/host,mp=/mount/point/on/lxc

OR

pct set 100 -mp0 /mnt/bindmounts/shared,mp=/shared

(OPTIONAL) If having issues try setting the directory or dataset on the host to be inside /mnt

Create group on host

In the default Proxmox configuration, unpriviliged container subgids will have the prefix "10" followed by the expected 4-digit gid.

addgroup --gid <GID (ie."101000")> <GroupName (ie."container-data")>

Install ACL

Debian 11 which proxmox is based on does not have acl installed so install acl using

apt install acl

Enable acl for zfs dataset

zfs set acltype=posixacl storage/share

Set ACL for shared dataset

Any members of -GID- will have "rwx", new files from -GID- have "rwx" default Note: documentation suggests the "-d" flag should be used to assign default, however I have been able to get the desired result without, so... take that as you will

chgrp -R <GroupName> <Dataset>
chmod -R 2775 <Dataset>
setfacl -Rm g:<GID>:rwx,d:g:<GID>:rwx <Dataset>

Inside your LXC container

Create group

GID needs to match the last 4 digits of the subgid assigned earlier

addgroup --gid <GID (ie."1000")> <GroupName (ie."container-data")>

Add users to new permitted group

usermod -aG <GroupName> <User>

You should now be able to make modifications to the assigned directory on the host system from within the unpriviliged container.

References

https://blog.felixbrucker.com/2015/10/01/how-to-mount-host-directories-inside-a-proxmox-lxc-container/ https://www.reddit.com/r/homelab/comments/4h0erv/resolving_permissions_issues_with_host_bind/

@picasso566
Copy link

picasso566 commented Jun 21, 2023
edited
Loading

Thanks for the succinct gist on the subject! It summarizes about 20 threads I've been reading on the subject to the same conclusions I reached. I will give feedback after I'm done setting up a node this way.

Also this: https://www.itsembedded.com/sysadmin/proxmox_bind_unprivileged_lxc/

I have one question though. You have this:

mp0:/mount/point/on/host,mp=/mount/point/on/lxc
It's important that the directory or dataset on the host should be in /mnt

Why does the directory/dataset need to have the mount point in /mnt on the host?

@JSinghDev
Copy link
Author

JSinghDev commented Jun 21, 2023
edited
Loading

Why does the directory/dataset need to have the mount point in /mnt on the host?

I don't think that's needed any more and I am going to update this gist. I was having issues initially when my zfs dataset mount point was not inside the /mnt folder. I read it somewhere. Currently, my bind mounts are not located inside /mnt. So if you are having issues, you can try setting the bind mount to be inside /mnt on the host.

I have to check on ACL's as well as there have been some updates in samba and posixacl recently.

@picasso566
Copy link

picasso566 commented Jun 22, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment