Browse Proxmox

Unprivileged LXCs - Mount CIFS Shares

Hiep Chau June 11, 2024 2 min read NAS Proxmox

The Privileged LXC is not safe and the unprivileged LXC does not allow to mount CIFS/SMB shared folder anymore.

On this page
Unprivileged LXCs - Mount CIFS Shares

Special thanks to TheHellSite for this tutorial. Just copy it to my blog for backup. [TUTORIAL] - Tutorial: Unprivileged LXCs - Mount CIFS shares

1. How does it work?

By default, the CIFS shares are mounted as user root(uid=0) and group root(gid=0) on the PVE host which makes them inaccessible to other users, groups, and LXCs.

This is because UIDs/GIDs on the PVE host and LXC guests are both starting at 0. But a UID/GID=0 in an unprivileged LXC is actually a UID/GID=100000 on the PVE host. See the link below for more information.

Unprivileged LXC containers - Proxmox VE

So, just simply mount the CIFS share to the UID that belongs to the unprivileged LXC root user, which by default is always uid=100000.

But instead of also mounting it to the GID of the LXC root user, your are going to create a group in your LXC called lxc_shares with a gid=10000 which refers to gid=110000 on the PVE host.

PVE host (UID=100000/GID=110000) <--> unprivileged LXC (UID=0/GID=10000)

2. Create a new group in the LXC

Create the group “lxc_shares” with GID=10000 in the LXC which will match the GID=110000 on the PVE host.

1groupadd -g 10000 lxc_shares

Add the user(s) that need access to the CIFS share to the group “lxc_shares”.

ex: jellyfin, plex, … (the username depends on the application).

1usermod -aG lxc_shares USERNAME

Shutdown the LXC.

3. Mount CIFS on the PVE host

Create a folder to mount CIFS/SMB shared folder.

1mkdir -p /mnt/lxc

Create a credentials file /root/.smbcredentials

1username=your_username
2password=your_password

Add the script below to /etc/fstab for automatically mount.

1//XPEnology/lxc/ /mnt/lxc cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,credentials=/root/.smbcredentials 0 0

Modify the script to suitable your system.

  • //XPEnology/lxc: match your CIFS hostname (or IP)

After that, mount the CIFS/SMB shared folder on the PVE host

1systemctl daemon-reload
2mount -a

4. Bind mount to the LXC

Open the LXC configuration and add the below to the config

1nano /etc/pve/lxc/<Container_ID>.conf

1mp0: /mnt/lxc,mp=/mnt/lxc

Now, your LXC configuration will look like this.

mount-lxc.png

Since done, start the LXC.

05. Passthrough iGPU into LXC Unprivilege