[lxc-users] Unprivileged LXC container can't fully access NFS share mounted on host
Maxwell Farrior
maxwellfarrior at gmail.com
Sat Sep 16 15:23:57 UTC 2017
I'm stumped. Here's the situation:
- I decided to redo the setup of a server I have. I wanted to move
services into their own LXC containers.
- One such service is a bitcoin node. The node requires about 120GB of
storage space, which I have provided with a NFS server running on a
networked machine.
- The bitcoin node container is unprivileged. So I can't mount the NFS
share directly. So I mount it on the host and then do a bind mount
(`lxc.mount.entry=/<path/on/host> <path/on/container> none bind 0 0`) in
the host container's config file.
- The container mounts the container alright, I can see the files, but
when the bitcoin daemon tries to access (write?) to that directory, it
can't and crashes.
I've tried so much to get it to work. I also fear that I've changed
*too* much trying to get it to work.
- Permissions... So on the host, I've chown'ed the entire directory to
the UID of the *user in the container*. So on the host, everything is
owned by 1001001:1001001. And *inside* the container, I have *also*
chown'ed all the files to username:username. The files show up as owned
by the correct user and have the correct permissions inside the container.
- I also have a large flash drive with the same data as the NFS share. I
mounted this flash drive on the host and set permissions and mounted it
the same way I did the NFS share. *This works for some reason.* I have
tried looking at the directories' permissions and I can't see any
difference.
- One thing I noticed (and I'm not sure if this is relevant), but when I
create a file on the NFS share *inside the container*, it defaults to
different permissions than what I want. I can create the file, but it
gets owned by user 'nobody' and has permissions of 664. Maybe the
bitcoin daemon is trying to create a file and is not able to
read/write/access it. I don't know. Maybe a umask problem?
I'd be happy to provide any additional info that would help solve this
issue. I know there's a lot of moving parts here. I'm completely open to
any ideas and suggestions.
More information about the lxc-users
mailing list