How do I share a directory between an LXC container and the host?
Solution 1
I found an article in the openSUSE wiki: https://en.opensuse.org/User:Tsu2/LXC_mount_shared_directory
I followed the steps and it works now.
Create host directory:
mkdir /media/data/share && chmod 7777 /media/data/share
Create directory in lxc container:
mkdir /share
Edit lxc config file on host:
nano /var/lib/lxc/containername/config
lxc.mount.entry = /media/data/share share none ro,bind 0.0
Solution 2
According to the LXC documentation you can do this via a privileged container:
lxc launch ubuntu priv -c security.privileged=true
lxc config device add priv homedir disk source=/home/$USER path=/home/ubuntu
Solution 3
Below is what I have done to mount one of my host directory to the container. This is trickier than it sounds because we would like to achieve
- Inside the container we should be able to write to the directory.
- Outside the container we should be able to write to the files and directories created inside the container.
After reading various articles online (the most helpful one is this github issue), here is how I solve this. The trick is to map the uid and gid of the host user to the uid and gid of the user inside the container.
Suppose I am going to mount /home/breakds/projects
to the exact same location in the container. The outside directory is owned by the user breakds
, whose uid and gid are 1000
.
I then created an user in the container called debian
, whose uid and gid happened to be 1000
as well (because it is the first non root user). I will then create an (lxc) profie on the host by
lxc profile edit breakds
And below is the content of the profile (I believe it is in yaml format):
name: breakds
config:
raw.lxc: |
lxc.id_map =
lxc.id_map = u 0 165536 999
lxc.id_map = g 0 165536 999
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 166537 64535
lxc.id_map = g 1001 166537 64535
user.vendor-data: |
packages:
- bash
description: allow home dir mounting for breakds
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr0
type: nic
projects:
path: /home/breakds/projects
source: /home/debian/projects
type: disk
Then, apply this profile to that container permanently:
$ lxc profile apply <my container> breakds
This should do the trick.
NOTE: Please note that before switching to this profile, make sure that all direcotries or files whose owner/group is debian should be deleted (and probably recreated after the switch). This is because after the uid and gid mapping, their ownership will become invalid. I originally thought since I am just mapping 1000 to 1000 everything should be fine, but I think I missed something here and it would be great if some one can advice on how to resolve this without the hack.
Solution 4
You can also do this without LXD by editing the LXC config file directly:
# Container specific configuration
lxc.idmap = u 0 165536 1000
lxc.idmap = g 0 165536 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 166536 64535
lxc.idmap = g 1001 166536 64535
You also have to make sure that the container's user's account is given permission to map to uid/gid 1000 on the host by editing /etc/subuid and /etc/subgid:
containeruser:165536:65536
containeruser:1000:1
Related videos on Youtube
Mischa
Updated on September 18, 2022Comments
-
Mischa over 1 year
I am trying to add favorites by following this instruction, but I cannot get the title to be read from the strings file. What am I doing wrong?
This is my
getExtendedMetadata
response:<?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://www.sonos.com/Services/1.1"> <SOAP-ENV:Body> <ns1:getExtendedMetadataResponse> <ns1:getExtendedMetadataResult> <ns1:mediaMetadata> <ns1:id>album_track:17079|193549</ns1:id> <ns1:itemType>track</ns1:itemType> <ns1:title>Sabo & Zeb - Sambafrica</ns1:title> <ns1:mimeType>audio/mp3</ns1:mimeType> <ns1:trackMetadata> <ns1:artistId>artist:1</ns1:artistId> <ns1:artist>Various Artists</ns1:artist> <ns1:albumArtistId>artist:1</ns1:albumArtistId> <ns1:albumArtist>Various Artists</ns1:albumArtist> <ns1:albumId>album:17079</ns1:albumId> <ns1:album>10 Years of SOL</ns1:album> <ns1:duration>451</ns1:duration> <ns1:albumArtURI>https://assets.s3.amazonaws.com/cover/30929/10.png</ns1:albumArtURI> </ns1:trackMetadata> </ns1:mediaMetadata> <ns1:relatedActions> <ns1:action> <ns1:id>add_track_to_my_library</ns1:id> <ns1:title>ADD_ITEM</ns1:title> <ns1:actionType>simpleHttpRequest</ns1:actionType> <ns1:simpleHttpRequestAction> <ns1:url>https://sonosdev.newmediasquad.com/v1/favorites/add/track/17079</ns1:url> <ns1:method>POST</ns1:method> </ns1:simpleHttpRequestAction> </ns1:action> </ns1:relatedActions> </ns1:getExtendedMetadataResult> </ns1:getExtendedMetadataResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope>
And this is my strings file:
<?xml version="1.0" encoding="utf-8" ?> <stringtables xmlns="http://sonos.com/sonosapi"> <stringtable rev="20040502" xml:lang="en-US"> <string stringId="ServicePromo">Welcome to YogiTunes!</string> <string stringId="LOGIN">Login</string> <string stringId="SIGNUP">Sign up</string> <string stringId="ADD_ITEM">Add to My Library</string> <string stringId="REMOVE_ITEM">Remove from My Library</string> <string stringId="ADD_SUCCESS">Added successfully</string> <string stringId="ADD_FAILED">Something went wrong. Please try again or contact us at [email protected].</string> <string stringId="REMOVE_SUCCESS">Removed successfully</string> <string stringId="REMOVE_FAILED">Something went wrong. Please try again or contact us at [email protected].</string> <string stringId="Error5Message">Retry token request.</string> <string stringId="Error100Message">Namaste!! Have some obstacles that need removing? Gan Gan Ganapataye! Contact us at [email protected] and we will get back to you as soon as possible.</string> </stringtable> [snip other languages] </stringtables>
(full string file here)
But, this is what I see in the app:
Other strings are loaded correctly from the strings file. What am I doing wrong?
-
jgomo3 about 8 yearsIs there a reason behind defining that mount entry as read only? Is that a good security practice to avoid a container to write back data to a shared filesystem?.
-
HRJ over 7 yearsWorked for me. Note that the relative path used for
share
in thelxc.mount.entry
is critical. -
Sam Bull almost 7 yearsNote that, that is the LXD documentation, not LXC. If you haven't installed LXD, then the lxc command won't work.
-
Sam Bull almost 7 yearsYou don't need to create the mount point, if you add ',create=dir' after 'bind'. I've also removed the 'ro,' part, and it seems to be working just fine.
-
0xC0000022L almost 6 years@SamBull well, this is self-inflicted by the LXC/LXD team. LXC can be used to refer to liblxc (the underlying library) or to the LXD client (named
lxd
) as used in this answer or to LXC (the software and "old" toolset with thelxc-*
-named tools) or to the project (where LXC is short for LinuX Containers). It's the reason I asked this question on the Unix.SE meta. -
mcr over 5 yearswhat system processes/created /etc/subuid? Openwrt does not have that.
-
iBug over 4 yearsBut you can always
chown
from host. -
Mischa about 4 yearsThank you. So, for now, I could just do
<ns1:title>Add to My Library</ns1:title>
? The app is in English only anyway. -
yrg about 4 yearsI think you'd have to use
<ns1:title>Add_to_My_Library</ns1:title>
as this resolves to a string in the strings.xml file and the bug prevents this from happening. -
Mischa about 4 yearsWhile the bug has not been fixed and I am unable lookup the string from the strings file, I want to show users the correct text without underscores. That's why I was thinking about using
<ns1:title>Add to My Library</ns1:title>
. Wouldn't<ns1:title>Add_to_My_Library</ns1:title>
still show underscores to the user? -
yrg about 4 yearsI don't think the title value will work with spaces. You can try it and see. That's why I suggested the underscores. It's not the best experience, but it gets the point across.
-
Mischa about 4 yearsThanks. I tried
<ns1:title>Add to My Library</ns1:title>
and it worked. -
yrg about 4 yearsThank you. I'll add that to the release notes. I'll update the above once this has been fixed.
-
bitinerant about 3 yearsThe above requires a privileged container, but for better security separation, you can instead use
lxc config device ... shift=true
and then, if you get the "isn't supported error",sudo snap set lxd shiftfs.enable=true && sudo systemctl reload snap.lxd.daemon
and retrylxc config ...
. -
Jorge Castro about 3 years@bitinerant Feel free to just submit an edit to my answer to make it correct, thanks!