Mount ZFS dataset in unprivileged container

lxcmountzfsonlinux

First a bit of information about my configuration:

  • Ubuntu 15.10
  • ZFS pool created
  • LXC containers stored in pool/lxc
  • Dataset created in pool/mydataset owned by user1

Now I need one of the containers to access the files/folders in pool/mydataset. I tried the following:

  • Created a user user1 inside the container

  • Edited pool/lxc/mycontainer/config and added:

    lxc.mount.entry = /pool/mydataset mnt/mydataset none rw,bind 0 0

When I start the container the dataset is mounted, but ls -la /mnt/mydataset in the container shows nobody:nogroup instead of user1:user1, which means all files are read-only.

Any idea how to get the correct permissions in the mounted directory?

Best Answer

I've experienced the same. The reason, in my case, is that the filesystem to be bind-mounted is owned by UID:GID in the range of the host machine.

An unprivileged container, by definition, uses UIDs outside the normal range, and a user namespace to give the appearance of normality in the container.

A <code>ps -efH</code> screenshot in my host machine.

Note that everything below the container's init belongs to numeric UID 1000000, as seen from the host machine. Within the container, PID1 is UID root, as expected.

What does that mean? If, in the host machine, you have a filesystem owned by a normal user (maybe root, maybe regular user), and then bind-mount it in the container, the UIDs (which are stored as integers) make no sense within the container.

Further, because the UIDs the container sees don't even belong to its user namespace, not even root inside the container can chown those files.

Solution: In the host machine, chown the files so that they belong to root inside the container. In my case, as pictured above, I had to:

  • Mount tank/mydataset at /tank/mydataset in the host machine
  • chown 1000000:1000000 /tank/mydataset
  • (In the container config file) lxc.mount.entry = /tank/mydataset path/in/container/ none bind 0 0
Related Topic