Hi, I need help to understand what I am doing wrong with my setup.
I am running a proxmox node (pve) where I have mounted my nfs storage (containing backups from my old server) on the host and assigning them to containers using pct set command.
On Host:I am setting the user permissions to the mounted folder so that the user from lxc can rw to it and the sub-folders(or atleast I thought it would be possible).
On Unpreviledged LXC:The mount is recognized and is accessible with the correct user permissions to rw
The docker container created inside the lxc is unable to read/write to this storage even though they are assigned to the correct user id 1000. The docker setup is logging errors and won’t start up.
Appreciate the help!
The issue is that the docker container will still be running as the LXC’s root user even if you specify another user to run as in the docker compose file or run command, and if root doesn’t have access to the dir the container will always fail.
The solution to this is to remap the unprivileged LXC’s root user to a user on the Proxmox host that has access to the dir using the LXC’s config file, mount the container’s filesystem using pct mount, and then chown everything in the container owned by the default root mapped user (100000).
These are the commands I use for this:
find /var/lib/lxc/xxx/rootfs -user 100000 -type f -exec chown username {} +; find /var/lib/lxc/xxx/rootfs -user 100000 -type d -exec chown username {} +; find /var/lib/lxc/xxx/rootfs -user 100000 -type l -exec chown -h username {} +; find /var/lib/lxc/xxx/rootfs -group 100000 -type f -exec chown :username {} +; find /var/lib/lxc/xxx/rootfs -group 100000 -type d -exec chown :username {} +; find /var/lib/lxc/xxx/rootfs -group 100000 -type l -exec chown -h :username {} +
(Replace xxx with the LXC number and username with the host user/UID)
If group permissions are involved you’ll also have to map those groups in the LXC config, create them in the LXC with the corresponding GIDs, add them as supplementary groups to the root user in the LXC, and then add them to the docker compose yaml using group_add.
It’s super confusing and annoying but this is the workflow I’m using now to avoid having to have any resources tied up in VMs unnecessarily.
So I don’t use docker. But. Could you set up an lxc container running samba and then bind mount the shares to that container. Then mount those shares inside docker running on the other lxc container?
That sounds a bit too convoluted for my needs. Even if it works, I am not sure if I will be able to maintain such a setup. But thanks for your inputs.
It is not 1000 it 10000.
You can try with setting g+w on pve.
It is 100000 actually and even with 777 rights it still fails.