Mount SMB with id shifting

QWERTZ · January 8, 2024, 3:44pm

Hi,

I am trying to mount a samba share on a debian 12 (6.1.0-16-amd64) host inside a Ubuntu 22.04 Container.

dpkg -l | grep lxd
ii  lxd                           5.0.2-5                        amd64        Powerful system container and virtual machine manager - daemon
ii  lxd-agent                     5.0.2-5                        amd64        LXD guest agent
ii  lxd-client                    5.0.2-5                        amd64        Powerful system container and virtual machine manager - client

I am following the guides that worked on older versions.

But with id shifting on newer kernels I am a bit lost. When I try to add the mounted smb share, I get the following error.

lxc config device add name lxdshare disk shift=true source=/mnt/path/ path=/mnt/test
Error: Failed to start device "lxdshare": Required idmapping abilities not available

I can add the device without the shift parameter. But then I don’t have write permissions.

Do I have to disable id shifting completely to make it work?

Regards

stgraber · January 8, 2024, 5:05pm

cifs doesn’t support idmap shifting yet. Your best bet is to instead perform the mount from inside the container using a FUSE version of cifs.

smbnetfs looks like a potential candidate for this.

qkiel · January 8, 2024, 8:22pm

If you can add a disk device without shift, maybe try setting up idmap for container? For default ubuntu user with UID 1000 and GID 1000 that would be:

printf "uid $(id -u) 1000\ngid $(id -g) 1000" | lxc config set <container_name> raw.idmap -

derekmahar · May 5, 2024, 3:38pm

Are there any other options for mounting SMB/CIFS shares in an unprivileged container? I couldn’t get smbnetfs to work, the project hasn’t been updated in many years, and the project has little documentation.

qkiel · May 5, 2024, 5:03pm

In this video, the author is mounting SMB/CIFS inside a container using regular cifs-utils. Have you tried that?

derekmahar · May 5, 2024, 5:47pm

Yes, I did happen to watch this video before asking my question. The video doesn’t specify whether the container was privileged or unprivileged, though I suspect it was privileged. I tried unsuccessfully to mount an SMB/CIFS share in an unprivileged container:

derek@proxmox:~$ incus exec faithful-colt bash
root@faithful-colt:~# mount --types cifs --options defaults,credentials=/root/credentials.txt --verbose //192.168.0.2/Archive Mounts/Archive
mount.cifs kernel mount options: ip=192.168.0.2,unc=\\192.168.0.2\Archive,user=derek,domain=WORKGROUP,pass=********
mount error(1): Operation not permitted
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)

derekmahar · May 5, 2024, 6:12pm

By comparison, I successfully mounted the same SMB/CIFS share in a privileged container:

derek@proxmox:~$ incus start in-goat
derek@proxmox:~$ incus config get in-goat security.privileged
true
derek@proxmox:~$ incus exec in-goat bash
root@in-goat:~# mount -t cifs --types cifs --options credentials=/root/credentials.txt --verbose //192.168.0.2/Archive Mounts/Archive
mount.cifs kernel mount options: ip=192.168.0.2,unc=\\192.168.0.2\Archive,user=derek,domain=WORKGROUP,pass=********
root@in-goat:~# ls -la Mounts/Archive/
total 1
drwxr-xr-x 2 root root 0 Dec 22 01:46 .
drwxr-xr-x 3 root root 3 May  5 18:00 ..
drwxr-xr-x 2 root root 0 Apr 16 09:33 Backup
drwxr-xr-x 2 root root 0 Apr 25  2023 Data
drwxr-xr-x 2 root root 0 May  3 18:48 Documents
drwxr-xr-x 2 root root 0 Nov 30  2022 Media

derekmahar · May 20, 2024, 8:23pm

In this similar video, Don Hui at Novaspirit Tech creates a privileged Proxmox container that connects to an SMB/CIFS share. I would really prefer not to create numerous privileged containers just so that they can connect to my NAS file system.