Unprivileged LXCs - Mount CIFS Shares
The Privileged LXC is not safe and the unprivileged LXC does not allow to mount CIFS/SMB shared folder anymore.
Special thanks to TheHellSite for this tutorial. Just copy it to my blog for backup. [TUTORIAL] - Tutorial: Unprivileged LXCs - Mount CIFS shares
1. How does it work?§
By default, the CIFS shares are mounted as user root(uid=0) and group root(gid=0) on the PVE host which makes them inaccessible to other users, groups, and LXCs.
This is because UIDs/GIDs on the PVE host and LXC guests are both starting at 0. But a UID/GID=0 in an unprivileged LXC is actually a UID/GID=100000 on the PVE host. See the link below for more information.
So, just simply mount the CIFS share to the UID that belongs to the unprivileged LXC root user, which by default is always uid=100000.
But instead of also mounting it to the GID of the LXC root user, your are going to create a group in your LXC called lxc_shares with a gid=10000 which refers to gid=110000 on the PVE host.
PVE host (UID=100000/GID=110000) <--> unprivileged LXC (UID=0/GID=10000)
2. Create a new group in the LXC§
Create the group “lxc_shares” with GID=10000 in the LXC which will match the GID=110000 on the PVE host.
1groupadd -g 10000 lxc_shares
bashAdd the user(s) that need access to the CIFS share to the group “lxc_shares”.
ex: jellyfin, plex, … (the username depends on the application).
1usermod -aG lxc_shares USERNAME
bashShutdown the LXC.
3. Mount CIFS on the PVE host§
Create a folder to mount CIFS/SMB shared folder.
1mkdir -p /mnt/lxc
bashCreate a credentials file /root/.smbcredentials
1username=your_username
2password=your_password
bashAdd the script below to /etc/fstab for automatically mount.
1//XPEnology/lxc/ /mnt/lxc cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,credentials=/root/.smbcredentials 0 0
bashModify the script to suitable your system.
//XPEnology/lxc: match your CIFS hostname (or IP)
After that, mount the CIFS/SMB shared folder on the PVE host
1systemctl daemon-reload
2mount -a
bash4. Bind mount to the LXC§
Open the LXC configuration and add the below to the config
1nano /etc/pve/lxc/<Container_ID>.conf
bash1mp0: /mnt/lxc,mp=/mnt/lxc
bashNow, your LXC configuration will look like this.
Since done, start the LXC.