First a bit of information about my configuration:
- Ubuntu 15.10
- ZFS pool created
- LXC containers stored in pool/lxc
- Dataset created in
pool/mydataset
owned byuser1
Now I need one of the containers to access the files/folders in pool/mydataset
. I tried the following:
- Created a user
user1
inside the container -
Edited
pool/lxc/mycontainer/config
and added:lxc.mount.entry = /pool/mydataset mnt/mydataset none rw,bind 0 0
When I start the container the dataset is mounted, but ls -la /mnt/mydataset
in the container shows nobody:nogroup
instead of user1:user1
, which means all files are read-only.
Any idea how to get the correct permissions in the mounted directory?
Best Answer
I've experienced the same. The reason, in my case, is that the filesystem to be bind-mounted is owned by UID:GID in the range of the host machine.
An unprivileged container, by definition, uses UIDs outside the normal range, and a user namespace to give the appearance of normality in the container.
Note that everything below the container's
init
belongs to numeric UID 1000000, as seen from the host machine. Within the container, PID1 is UID root, as expected.What does that mean? If, in the host machine, you have a filesystem owned by a normal user (maybe root, maybe regular user), and then bind-mount it in the container, the UIDs (which are stored as integers) make no sense within the container.
Further, because the UIDs the container sees don't even belong to its user namespace, not even root inside the container can
chown
those files.Solution: In the host machine,
chown
the files so that they belong to root inside the container. In my case, as pictured above, I had to:tank/mydataset
at/tank/mydataset
in the host machinechown 1000000:1000000 /tank/mydataset
lxc.mount.entry = /tank/mydataset path/in/container/ none bind 0 0