Contents
Unprivileged LXC
What are unprivileged Linux containers (LXC)? Unprivileged containers are considered to be more secure and confidential than privileged containers. When an unprivileged container is running, the root UID of the container is mapped to a non-root UID on the host system. This makes it difficult for an attacker to gain root privileges to the underlying host even if they crack the container. In short, if an attacker manages to compromise your container through a known software vulnerability, they will immediately find that they cannot obtain any host permissions. Therefore, unprivileged containers are designed to limit the root user permissions of LXC, thereby protecting the security of the host machine. However, this will also cause some inconveniences. For example, when we want to mount an SMB shared NAS directory using the mount command in PVE's unprivileged LXC like in normal Linux, we will fail because of permission errors:
mount error(1): Operation not permitted lxc
So what should we do if we want to mount an external SMB directory in this case? We can only go in a circle: first mount the SMB directory to the pve host, and then use the pve host to map the mounted directory to the unprivileged LXC container.
Note: The following operations are run on the pve host
Mount the shared directory that needs to be mounted to LXC to the PVE host first
Install the cifs-utils package
apt-get install cifs-utils
Create a mount directory
mkdir -p /mnt/share/
Run the mount command
mount -o username=account,password=password//your-ip/shared directory/mnt/share
Mount the PVE host directory into the unprivileged LXC container
pct set "CT id" -mp0 /mnt/share/,mp=/mnt/share
If you want to mount other directories later, they will be mp1, mp2, and so on.
Restart the LXC container and check
ls /mnt/share
If you can see the contents of the SMB directory, it means success.
Note: If you want pve to automatically load the SMB directory when it starts, you need to edit /etc/fstab and add the following content:
//your-ip/shared directory/mnt/share cifs defaults,username=account,password=password
This can be found in my other article:Debian series automatically mount SMB at startup