I have been using linux for a couple of years already, very casually, just browser, media, games. Recently I bought dell micro pc and installed proxmox on it. I don’t have a lot of hdds or raid or anything, just one 6tb usb external drive. I know, I could lose everything, but I don’t have anything important in there, just media. It’s a relatively new drive, so I hope it will hold for at least half a year, and then I plan to buy proper hdds.

Hdd is connected to the proxmox host with usb, and then with mount points to lxc containers. Audiobooshelf, samba, qbittorent, all containers are debian 12.

When I download book with qB lxc, it automatically shows up in audiobookshelf (abs) lxc thanks to mount points. Abs can play it but, I can’t change cover, delete, move it etc, because of permissions. This screenshot is from proxmox host.

Same thing happes when I manually upload the book to audiobookshelf, then other lxc containers have problem accessing it. Or when I upload something to the server with samba.

I know how to change it with chmod and chown, but when I download new book it is the same thing again, I don’t want to manually change permissions and ownership every time new folder/file appears in hdd. In lxc container I cant even change ownership, it says: “Operation not permitted” even though I have root.

This is my samba config. It’s terrible and unsecure, but after 2 days of trying to make it work, I just wanted to try everything. I will probably switch to nfs, idk if it will help.

I’m really lost, idk how to make lxc containers talk to each other through those mounts points without breaking permissions/ownership. Is there some other way? Idk if there is a very simple solution and I just made fool of myself. I know that root and 777 eveywhere is bad idea, but I wanted to at least first get everything working. And I don’t plan to connect anything to the internet in the near future anyways.

It’s really late here, and I have to work tomorrow, so I won’t be able to reply until tomorrow evening.

  • 4am@lemm.ee
    link
    fedilink
    English
    arrow-up
    10
    ·
    edit-2
    7 months ago

    It’s UID/GID 10000 on the host because you are using an unprivileged LXC container. Unprivileged means that “root” inside the container (which is just a user space of the host with access restrictions) is user 10000 on the host - this is so that files and processes inside the container don’t run with the real UID zero, where they could plant a malicious file, or run a malicious program that escapes containment that ends up with root access on the host.

    Quickest way to make this work over samba is to force user 10000 and force group 10000. That way everything connecting to Samba would see the files as their own.

    Honestly the better solution is to make your software inside the containers run with a local non-root user (which would be something like 10001) and then force samba to use that. Then nothing is running as root in or out of the containers. Samba will still limit access to shares based on the samba login, but for file access purposes it will still use the read/write levels of your non-root user (because of the force- directives)

    • Cossty@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Thx this sounds like the best solution. Definitely trying it out. Idk how well I will be able to do it, Because I didn’t even made those containers myself. I just used proxmox helper scripts. Something came up today and I didn’t have time again, will try it tomorrow.

  • LifeBandit666@feddit.uk
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    7 months ago

    I’ve solved this exact issue and numerous others with samba / CIFS recently. This is how I have my Proxmox on a mini pc with usb mounted HDDs at present:

    1 VM Home Assistant OS, not relevant really

    1 VM OMV Open Media Vault.

    1 VM Debian with Docker installed.

    So in my experience over the last few months you want your usb drive to have absolutely nothing to do with Proxmox. Nope.

    I had 3 hooked in mounted in Proxmox and when one of them threw a fit Proxmox refused to load.

    Better to have a NAS VM installed and have the drive(s, I have 3, 2x1tb and 1x750gb) passed straight through, whole usb, to the NAS VM.

    This means if the drive fails Proxmox doesn’t break, and also in my experience with OMV, it’ll still run if a drive breaks

    Then what I did was set up the shares and made them samba in OMV then set my other VM, the Debian one, with mount points in the Fstab.

    The key for me in this endeavour was to make sure the Fstab entry made sure that the OS wouldn’t fail if it couldn’t find a drive, as happened in Proxmox, so I made sure “nofail” was somewhere in the Fstab config.

    For Samba to work in Linux you need to install cifs-utils, then add a line in /etc/fstab. Mine goes:

    //omv.local/sharename /mnt/filename cifs credentials=/etc/cifs-credentials,file_mode=0777,dir-mode=0777,auto,nofail,vers=3.0 0 0

    You have to create the mount point mkdir /mnt/filename and give it permissions with chmod

    You also need to made the cifs-credentials file in /etc/

    It needs to contain:

    username=yourusername password=yourpassword domain=WORKGROUP

    Then what I do for Audiobookshelf and whatnot is mount the mount point as directories in Portainer under the volumes: - /mnt/Downloads:/Downloads

    Then in the UI of the service I’m using in Docker I can use the Downloads folder and it’s the mount point.

    This is what’s working well for me. If a drive fails I try and fix it in OMV instead of trying to plug a monitor into my mini pc to try and work out from the logs why Proxmox has failed…

    Use this comment as a framework for your research and save yourself some heartache. You can mount the CIFS/Samba share to Proxmox and use that, so you can still use the drive in Proxmox for backups and such

    • Cossty@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Thx for providing some alternative. I think I will still try to first make it work with mount points and local users. But I appreciate your post and will keep it in mind if I need to use it later.

  • nitrolife@rekabu.ru
    link
    fedilink
    English
    arrow-up
    2
    ·
    7 months ago

    the idea is that: all your applications work under the same user. or at least under the same group. because this is exactly how the differentiation of rights is applied.

    A good plan is to create some kind of user in all three containers and run qbittorrent, samba and the third application under it.

    A bad plan is to run everything under a random user with 777 rights, but this is a really bad plan.

    Create a user in all three containers and work under it. That is not hard. Run qbittorent with that user. Config will be there: /home/user/.config . Then set that user for samba. I don’t know third app , but I think you can find how change user in manual.

      • 4am@lemm.ee
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        NFS is always cranky for me, and you can’t get it to use symlinks at all (yeah Samba’s implementation is janky but at least it exists)

        • minnix@lemux.minnix.dev
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          NFS does symlinks but they have to be configured correctly.

          Samba may have not given you issues in the past, but it also doesn’t give you any security.

            • minnix@lemux.minnix.dev
              link
              fedilink
              English
              arrow-up
              1
              ·
              7 months ago

              Elaborate on why samba is bad when it comes to security? Like list a bunch of links like this or write a paragraph summarizing them like a chatbot?

    • Cossty@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      Ok, that doesn’t sound hard. I hope there are no more unforeseeable problems. When I create the new user in containers, should I create the same user in proxmox host and change ownership of the hdd, and all existing files in it, to it? Probably yes, right? Don’t have time today again, will try it tomorrow after work.

    • nitrolife@rekabu.ru
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      Topic starter don’t use docker containers. He use lxc containers. LXC is virtual machines on host kernel. Case is that: He have 3 virtual machines with shared disk. In 3 VMs have 3 different applications. Applications work under different users and can’t rewrite data on shared disk. That is user permissions problem.

  • Decronym@lemmy.decronym.xyzB
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    7 months ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    LXC Linux Containers
    NAS Network-Attached Storage
    NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency

    [Thread #794 for this sub, first seen 10th Jun 2024, 15:55] [FAQ] [Full list] [Contact] [Source code]