Once that’s complete, we can select our container from the server list on the left, navigate to it’s permissions, and click “Add” to give it our group permission and the role. Give the new role a name like “DataAccessRole” and assign it the storage related privileges, which are the ones that start with “Datastore.” as well as “Pool.Allocate” and “Pool.Audit.” We’ll also go on to select “Roles” below “Groups” and create a new role. Give it a name like “shared_file_access” and a description so you know what it does. Permissions management for a Proxmox DatacenterĪfter that, click the “Create” button to make a new group permission. ** Update: As noted by commenters, this process does not work for SMB shares. In your case, it may be SMB/CIFS or Directory but in my case, it’s NFS. Click the “Add” button and select the appropriate storage option.
Under Storage View, click the Datacenter, then click Storage. The first step, is making sure the Proxmox host has access to the Network File Share (NFS). I don’t want this container to be able to do anything on the host but I would like it to be able to read and write from a shared media folder on my network. In my example, I have an unpriv LXC running Plex. That’s all well and good, but what if you want to share storage across your unprivileged containers? There are presumably ways that you can punch holes in AppArmor but Proxmox does in fact, make it simple. This ensures that if an attacker were to compromise the container, they would have no permissions on the host machine. They are relegated to the nobody user and nogroup group. By design, unprivileged LXC containers (henceforth known as unpriv LXC) have no permissions on the host machine. The host machine already has a kernel (unlike a VM which is given its own kernel), so when running a container, the host machine kernel is shared with the container and is managed by the host as another user on the system. This is all accomplished by using existing features of the Linux kernel and its user space. Why? Containers are great because they reduce resources consumed, segment logic, and are quickly reproduced. I could possible sidestep this problem by starting a VM but I like containers. Since starting my homelab years ago, one issue that has plagued me has been giving write access to my unprivileged LXC containers in a shared storage. By this point, it’s only frustrating when I realize that I didn’t check the permissions first. When ever I run into an issue during GNU/Linux server administration, 9 times out of 10, it’s due to permissions. If you find other issues or learn why this is the case, leave a comment below or fill out the contact form. Thanks to Alex in the comments for these findings. This post outlines the process with NFS shares. Update: As evident by the comments on this post, it seems this method may not work for all installs.
0 kommentar(er)
