Share NFS Mount in Unpriveleged LXC

Share an NFS volume monted on the PVE with an LXC

How To

Work in Progress

Initial Setup

• Logon to LXC and create mount point

  mkdir pve
  mkdir pve/synology_data
  chmod -R 777 pve
  

• Logon to PVE

• Edit LXC conf file:

  vi /etc/pve/lxc/<id>.conf
  

• Add a line like:

  mp0: /mnt/pve/synology_data,mp=/mnt/pve/synology_data
  

• Reboot PBS

Setting UIDS and GIDS:

We need to allow LXC to map to a real UID and GID, by default they get set to high values 10000 and up.

On the PVE set ownership to the desired UID and GID for user on LXC.

On the PVE, add a mapping to the lxc config file:

# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host)
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530

Setup/allow mapping on the PVE:

vi /etc/subuid

Add:

root:1005:1

vi /etc/subgid

Add:

root:1005:1

On LXC:

Add user you want to access the mount to a new group for 1005:

groupadd -g 1005 lxc_shares
usermod -aG lxc_shares  <user>

Reboot the LXC

This should give group level access.

References

https://forum.proxmox.com/threads/tutorial-mounting-nfs-share-to-an-unprivileged-lxc.138506/post-726198 https://pve.proxmox.com/wiki/Unprivileged_LXC_containers#Using_local_directory_bind_mount_points