Proxmox 6, LXC containers, and the user permission maze

Recently I started changing my storage/playground machine from single Rockstor to a more virtualized homelab running proxmox, and with that comes a big learning opportunity for virtualization, LXC, and everything in between and beyond. One particular problem I’m trying to solve is that, I want to run separate containers for Samba, Plex, any intake application(Transmission etc), AND have them all as unprivileged container(SECURITY, not that anyone cares…?) , AND have them all access the same storage pool from host(MergerFS+snapraid, per Perfect Media Server suggestion. Read it on linuxserver.io if you haven’t, for my purposes it beats ZFS/Btrfs handily).

So I created some containers, loaded them up with ubuntu, installed stuff I need, and…they couldn’t write to storage pool mount point. Huh. Must be containers. So I read up on LXC website as well as proxmox forum(kudos to devs for actually interacting with users on forum), and I realized that proxmox keeps its own copy of container config, and *appends* it to a boilerplate template that it re-creates every time you start/restart a container. Here’s the details:

Container users can be mapped to host users so they can access mounted folders with same permission as on host. The default mapping Proxmox uses (that is, in the boilerplate template) is : container user 0 maps to host user 100000, container user 1 maps to host user 100001, and so on, until it hits POSIX limit of 65534. All you have to do on host is to add the corresponding host user id to the permission list of the folder you want to access from container, and you should be fine…right? Usually, that’s all it takes…until you have multiple containers…

See, when you create multiple containers, proxmox uses the SAME boilerplate template for container config. Which means…if you have a uid 100 in container #0, and a uid 100 in container #1, and both container can see a host folder(via mounting) that have write permission for user 100100, both container users WILL be able to step on each other, whether you want them or not.

Leave a Comment

Your email address will not be published.