Skip to content

Instantly share code, notes, and snippets.

@julianlam
Last active October 19, 2024 17:14
Show Gist options
  • Save julianlam/07abef272136ea14a627 to your computer and use it in GitHub Desktop.
Save julianlam/07abef272136ea14a627 to your computer and use it in GitHub Desktop.
Exposing a directory on the host machine to an LXC container #blog

Exposing a directory on the host machine to an LXC container

  1. Log into the container and create an empty directory, this will be the mount point
  2. Log out and stop the container.
  3. Open to your container's config file
    • For regular LXC containers: /var/lib/lxc/mycontainer/config
    • For unprivileged LXC containers: $HOME/.local/share/lxc/mycontainer/config
  4. Add a new line above the lxc.mount directive, that follows the format below. Substitute proper paths as necessary:
    • lxc.mount.entry = /path/to/folder/on/host /path/to/mount/point none bind 0 0
    • Both of these paths are relative to the host machine.
    • Location of the root fs in the container can be found at:
      • For regular LXC containers: /var/lib/lxc/mycontainer/rootfs/
      • For unprivileged LXC containers: $HOME/.local/share/lxc/mycontainer/rootfs

Note: If the host's user does not exist in the container, the container will still be mounted, but with nobody:nogroup as the owner. This may not be a problem unless you need to write to these files, in which case you'll need to give everybody write permission to that folder. (i.e. chmod -R go+w /folder/to/share)

Example

I want to share /home/julianlam/foobar to my unprivileged container bazquux. In bazquux, I want this folder to be found at /mnt/baz.

In the container:

$ cd /mnt
$ sudo mkdir baz
$ logout

In the host, I will add the following line above lxc-mount in /home/julianlam/.local/share/lxc/bazquux/config:

lxc.mount.entry = /home/julianlam/foobar /home/julian/.local/share/lxc/bazquux/rootfs/mnt/baz none bind 0 0

Then

$ lxc-start -n bazquux -d

Further Reading

@chfritz
Copy link

chfritz commented May 27, 2021

@kokizzu's command works well, but I also wanted to be able to write those files. For that I had to specify a custom idmap:

lxc config set MyContainer raw.idmap "both 1000 1000"
lxc restart MyContainer

This maps uid 1000 on the host to uid 1000 inside the container.

@craigphicks-public
Copy link

@kokizzu's command works well, but I also wanted to be able to write those files. For that I had to specify a custom idmap:

lxc config set MyContainer raw.idmap "both 1000 1000"
lxc restart MyContainer

This maps uid 1000 on the host to uid 1000 inside the container.

I think your container is then tending towards "priveleged" - less secure.

or unprivileged containers, since root in the container does not map to UID 0 in the host system, a container breakout is still serious, but not as damaging as it is for a privileged container. There is also a mode where each LXD container in a system will have its own non-overlapping UID and GID ranges in the host, which limits the damage even further. Any breakout will result in a process with a UID and GID that is not shared with any other process in any other container (or the host system itself).

https://lwn.net/Articles/796700/

@hjdeheer
Copy link

It works perfectly, Thanks!!

@singpolyma
Copy link

Is it possible to apply the mount without restarting the container?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment