For my home server, I run the majority of my serices via LXC/LXD on Ubuntu. I started with LXC vms and have slowly begun migrating to LXD containers. One of the key issues with using unprivileged containers is overcoming permissions issues when sharing files between the container guests and the host. I thought I’d share how I do it to gain insight from others on this sub.
With LXC, if you use unprivileged containers as root, the container ends up taking the subuid and subgid ranges for root and mapping them to UIDs/GIDs inside the container. For a primer on this, see this answer at Unix SE and the LXC Getting Started guide at Linuxcontainers.org. So for example, the subuid/subgid range on my system gets mapped to container UIDs/GIDs as follows:
200000 - 266535 -> 0 - 65535
LXD uses unprivileged containers by default and so UIDs/GIDs and mapped the same way as for LXC unprivileged containers as root.
Directories on the host can be bind mounted to LXC/LXD containers. However, a user inside the container has to have the correct permissions set up on the host directory in order to be able to read from or write to it. A straightforward way is to change the host directory permissions so that the container UID owns it. For example, permissions for a Movies directory for container UID 1000 could be set as follows on the host:
# [email protected] chown -R 201000:201000 /mnt/Movies
This may work in cases where a only the container user needs access, and not any host users.
On the other hand, if users on the host and guest need read/write access, one methodology to set this up is with a combination of setgid and ACLs. Here’s what I do for my containers:
Set the group ownership to a host group, and set group write and setgid permissions:
# [email protected] chgrp -R homeusers /mnt/Movies chmod -R 2775 /mnt/Movies
This way, any new files created inside the Movies directory will belong to the
homeusers group on the host and have
rwx group permissions, and directories will have
rws permissions. Add host users to the
homeusers group as needed.
# [email protected] usermod -aG homeusers fideli_
Next, inside containers, create a
hostwrite group, and (optionally) set the GID.
# [email protected] addgroup --gid 2000 hostwrite
Add container users to the hostwrite group as necessary.
# [email protected] usermod -aG hostwrite debian-transmission
On the host, set ACLs such that the mapped
hostwrite GID on the host has write permissions.
# [email protected] setfacl -Rm g:202000:rwx,d:g:202000:rwx /mnt/Movies
What this does is ensure that the Movies folder (and subfolders) get write permissions for GID 202000 (mapped to the hostwrite group on the guest), and that the default ACL for new files and folders is also allows GID 202000 access.
# [email protected] getfacl /mnt/Movies
# file: /mnt/Movies # owner: fideli_ # group: homeusers # flags: -s- user::rwx group::rwx group:202000:rwx mask::rwx other::r-x default:user::rwx default:group::rwx default:group:202000:rwx default:mask::rwx default:other::r-x
Now, new files create in the container have the UID associated with the container user (i.e 200000 something) but they all belong to the
Hope this helps someone out there. I definitely didn’t invent this, just synthesized it after reading a number of guides out there. The below references have some additional insight.
Looking forward to hearing if there’s a more elegant way of doing this. Thanks!
- LXD Issue 714 - Mounting directories r/w
- LXD Issue 872 - Implement a way to hot-plug mounts into container
Enable ACLs on ZFS pool:
apt install acl
Get ZFS pool name and enable acls (xattr=sa for performance):
zfs list zfs set acltype=posixacl rpool/share zfs set xattr=sa rpool/share