Incus containers and acl permissions

Hi All,

I am sharing a folder over mutiple containers. However when i am giving a user in that specific container rwx acces it is not working. User has no access to the files.

What am i doing wrong? And is this supported?

ACLs normally work fine, but depending on kernel, filesystem, … you may need to use the real uid/gid rather than what you see in the container.

With the default uid/gid map, that would mean granting access to 1001000 if you want user 1000 in the container to have access.

Hi stgraber,

Thanks for you reply. I have the following setup.

In my host i shared a folder tru incus. I can see the folder in the container and works good if i gave the al 777 permissions.

Now in my container i have a user with id 1005. This user does not excist in my host. In my host i give the 1005 user all permissions thru setfacl.

I can see the permissions. However if i login as the user in the container i have no rights.

Any ideas?

All my filesystem use zfs and the acl posix is on…

hmm im sorry,

still have a problem and now i know what it is for this container.

normaly my containers are:

incus config set container security.nesting true
incus config set container security.privileged=true

if both these options are set i can see the right permissions in my container. However i have one container i can not set this item. it gives me the following error:

Error: Invalid config: nvidia.runtime is incompatible with privileged containers

I have shared my videocard in this containers. is there some way arround it?

PS I need the nvidia.runtime true for the encoding in jellyfin…

You should really really try to stay away from security.privileged=true, it’s very rarely required and is very risky as those containers can pretty easily run actions as real root on your host.

If security.privileged was used only to make file sharing work better with the container, then there are better and safer ways to deal with that :slight_smile:

could you give me a direction?

because without this i can not use acl file permissions in containers?

For example, see here, How to manage the files of several Incus containers from a separate Incus container – Mi blog lah!
In this case, we create separate storage volumes and share those between containers.

perfect thank you for the info.

So is it safe to use:

security.nesting true

The security.nesting=true setting is also used in rare cases, and the purpose is to allow to create containers within a container. That is, the nesting of a container within a container. Typical example, when you want to run Incus inside an Incus container.

The main benefit in running containers with Incus, is that your containers have the least amount of privileges. That’s good. When you enable security.nesting=true on a container, you give away a few more privileges. When you enable security.privileged=true, then you gave away the whole lot of privileges. In a way it defeats the purpose of containers but it’s supported for those specific cases where you really need it.

Having said that, security.nesting is only useful when you want the ability to launch containers within an Incus container. That could be Incus containers, or perhaps some other implementation of Linux containers.

One question,

When i do it this way. Is it oossible the to use setfacl ? And have write permissions for several users

What i am trying to do is the following.

I have a zfs pool on my host that i attached to the container.

Now ik want to use user access rights. Acl is not working. Can i get it working when i use your example? Or is it not possible this way and should i use an other solution?

Thanks for your help.

Hi,

I changed everything back so acl usage is not possible anymore in mu containers. How could we use user rights inside containers?

I have a hdd folder inside my host that i share with multiple containers.

How could i give users that excist inside a container right to this folder?

If i know do a setfacl for a userid on the host it all shows up in the container as a different user id. The id in the containers is for all users

default:user:4294967295:rwx

How would you guys handle this?

@stgraber @simos

Im am strugling a lot with this issue.

stgraber@dakara:~$ incus launch images:ubuntu/24.04 u1
Launching u1
stgraber@dakara:~$ incus launch images:ubuntu/24.04 u2
Launching u2
stgraber@dakara:~$ mkdir shared
stgraber@dakara:~$ incus config device add u1 shared disk source=/home/stgraber/shared path=/mnt/shared shift=true
Device shared added to u1
stgraber@dakara:~$ incus config device add u2 shared disk source=/home/stgraber/shared path=/mnt/shared shift=true
Device shared added to u2
stgraber@dakara:~$ incus exec u1 -- ls -lh /mnt/
total 1.5K
drwxr-xr-x 2 ubuntu ubuntu 2 Jul 30 22:46 shared
stgraber@dakara:~$ incus exec u2 -- ls -lh /mnt/
total 1.5K
drwxr-xr-x 2 ubuntu ubuntu 2 Jul 30 22:46 shared
stgraber@dakara:~$ 

Hi @stgraber

Thanks for your reply. When i do shift=true debian tells me idmapping is not supported on zfs?

idmapping abilities are required but aren’t supported on system

I am using zfs version 2.1.11-1

@stgraber

I see idmap is not supported with this version of zfs.
I will upgrade zfs with debian backports and try with this version.

@stgraber

With the new zfs version and shift=true i can now even use acl permissions.

Thank you for your help.