How can I share a folder between the host system (ubuntu 14.04) and an ubuntu lxc container?
I tried mounting the folder on the host:
sudo mount --bind /media/data/share /media/data/container/name/rootfs/share
but I can't see any files.
The same goes for:
sudo ln -s /media/data/share /media/data/container/name/rootfs/share
Do I need to change permissions for the share folder?
According to the LXC documentation you can do this via a privileged container:
lxc launch ubuntu priv -c security.privileged=true
lxc config device add priv homedir disk source=/home/$USER path=/home/ubuntu
I found an article in the openSUSE wiki: https://en.opensuse.org/User:Tsu2/LXC_mount_shared_directory
I followed the steps and it works now.
Create host directory:
mkdir /media/data/share && chmod 7777 /media/data/share
Create directory in lxc container:
mkdir /share
Edit lxc config file on host:
nano /var/lib/lxc/containername/config
lxc.mount.entry = /media/data/share share none ro,bind 0.0
Below is what I have done to mount one of my host directory to the container. This is trickier than it sounds because we would like to achieve
After reading various articles online (the most helpful one is this github issue), here is how I solve this. The trick is to map the uid and gid of the host user to the uid and gid of the user inside the container.
Suppose I am going to mount /home/breakds/projects to the exact same location in the container. The outside directory is owned by the user breakds, whose uid and gid are 1000.
I then created an user in the container called debian, whose uid and gid happened to be 1000 as well (because it is the first non root user). I will then create an (lxc) profie on the host by
lxc profile edit breakds
And below is the content of the profile (I believe it is in yaml format):
name: breakds
config:
raw.lxc: |
lxc.id_map =
lxc.id_map = u 0 165536 999
lxc.id_map = g 0 165536 999
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 166537 64535
lxc.id_map = g 1001 166537 64535
user.vendor-data: |
packages:
- bash
description: allow home dir mounting for breakds
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr0
type: nic
projects:
path: /home/breakds/projects
source: /home/debian/projects
type: disk
Then, apply this profile to that container permanently:
$ lxc profile apply <my container> breakds
This should do the trick.
NOTE: Please note that before switching to this profile, make sure that all direcotries or files whose owner/group is debian should be deleted (and probably recreated after the switch). This is because after the uid and gid mapping, their ownership will become invalid. I originally thought since I am just mapping 1000 to 1000 everything should be fine, but I think I missed something here and it would be great if some one can advice on how to resolve this without the hack.
A more secure way, for an unprivileged container that has access to the host user's files (but not the root user). We create a map from host user to the default lxc user.
lxc launch ubuntu:22.04 mycontainer -c raw.idmap="both 1000 1000"
The first id is the host user's uid, which is usually 1000 unless there are multiple users are present in the computer. To check run id YOUR_USERNAME. The second id is the lxd default user ubuntu which is always 1000.
Now run
lxc config device add mycontainer mydiskname disk source=~/path/to/desired/folder path=/home/ubuntu/myfolder
mydiskname can be any name. The source path has to exist (and be accessible by the host user) and will be mirrored to path in the lxc.
To access the shell as the ubuntu user run
lxc exec mycontainer -- su -l ubuntu
You can also do this without LXD by editing the LXC config file directly:
# Container specific configuration
lxc.idmap = u 0 165536 1000
lxc.idmap = g 0 165536 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 166536 64535
lxc.idmap = g 1001 166536 64535
You also have to make sure that the container's user's account is given permission to map to uid/gid 1000 on the host by editing /etc/subuid and /etc/subgid:
containeruser:165536:65536
containeruser:1000:1
