Sharing mountpoints on unprivileged Proxmox LXCs

Jul 12 23 • 3 min read


Unprivileged LXCs’ increased security and isolation, unfortunately, bring about some difficulties when sharing resources between the host and the guest. This issue often shows up as Permission denied or Operation not permitted errors when trying to access a directory on the host. Usual battle tactics like chown and chmod make no difference. One could resort to pure network-based solutions, but that’s not really efficient. Fortunately, it is possible to map a guest user’s UID/GID to that of the host by creating another user on the host with the right settings and permissions.

Binding mountpoints

Bind mounts allow us to access previously mounted directories from a different location in POSIX systems. Proxmox can bind mount points between the host and the guest either by running this command:

pct set <CONTAINER_ID> -mp0 <ABSOLUTE_PATH_ON_HOST>,mp=<ABSOLUTE_PATH_ON_GUEST>

or by adding this line to the LXC config file under /etc/pve/lxc/<CONTAINER_ID>.conf on the host:

mp0: <ABSOLUTE_PATH_ON_HOST>,mp=<ABSOLUTE_PATH_ON_GUEST>

This will allow you to access the host’s shared directory from the container, but the contents will only be readable. For full access, we need to chown the mounted directory on the host with the correct UID/GID.

Ownership

By default, unprivileged LXCs map guest system users on the host by applying an offset, usually starting at 100000. This mapping comes from /etc/subuid and /etc/subgid on the host. Proxmox typically uses 100000 as the starting offset, but it can differ depending on your setup.

For example, root inside the container (0:0) is mapped to 100000:100000 on the host. Likewise, guest UID/GID 1:1 becomes 100001:100001 on the host.

So, if all we need is for the container’s root user to access the mount point, we can run this on the host:

chown 100000:100000 <MOUNT_POINT_ON_HOST> -R

For other users, the general formula is:

Host UID/GID = Guest UID/GID + OFFSET

(where OFFSET is usually 100000 but may vary).

For example, if you create a user inside the guest with UID 1000:

# On the guest
useradd -u 1000 new-user-name

then on the host, this user will appear as UID 101000 (assuming the 100000 offset). To give proper ownership, you need to run:

# On the host
chown 101000:101000 <MOUNT_POINT_ON_HOST> -R

Note: If you want host users and container users to share the exact same UID/GID without the offset, you can configure custom ID mappings in the LXC config using lxc.idmap, but that requires extra setup.

Sources