How do I share a directory between an LXC container and the host?

mount virtualization symbolic-link lxc

Solution 1

I found an article in the openSUSE wiki: https://en.opensuse.org/User:Tsu2/LXC_mount_shared_directory

I followed the steps and it works now.

Create host directory:

mkdir /media/data/share && chmod 7777 /media/data/share

Create directory in lxc container:

mkdir /share

Edit lxc config file on host:

nano /var/lib/lxc/containername/config
lxc.mount.entry = /media/data/share share none ro,bind 0.0

Solution 2

According to the LXC documentation you can do this via a privileged container:

lxc launch ubuntu priv -c security.privileged=true
lxc config device add priv homedir disk source=/home/$USER path=/home/ubuntu

Solution 3

Below is what I have done to mount one of my host directory to the container. This is trickier than it sounds because we would like to achieve

Inside the container we should be able to write to the directory.
Outside the container we should be able to write to the files and directories created inside the container.

After reading various articles online (the most helpful one is this github issue), here is how I solve this. The trick is to map the uid and gid of the host user to the uid and gid of the user inside the container.

Suppose I am going to mount /home/breakds/projects to the exact same location in the container. The outside directory is owned by the user breakds, whose uid and gid are 1000.

I then created an user in the container called debian, whose uid and gid happened to be 1000 as well (because it is the first non root user). I will then create an (lxc) profie on the host by

lxc profile edit breakds

And below is the content of the profile (I believe it is in yaml format):

name: breakds
config:
    raw.lxc: |
        lxc.id_map =
        lxc.id_map = u 0 165536 999
        lxc.id_map = g 0 165536 999
        lxc.id_map = u 1000 1000 1
        lxc.id_map = g 1000 1000 1
        lxc.id_map = u 1001 166537 64535
        lxc.id_map = g 1001 166537 64535
    user.vendor-data: |
        packages:
            - bash
description: allow home dir mounting for breakds
devices:
eth0:
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
projects:
    path: /home/breakds/projects
    source: /home/debian/projects
    type: disk

Then, apply this profile to that container permanently:

$ lxc profile apply <my container> breakds

This should do the trick.

NOTE: Please note that before switching to this profile, make sure that all direcotries or files whose owner/group is debian should be deleted (and probably recreated after the switch). This is because after the uid and gid mapping, their ownership will become invalid. I originally thought since I am just mapping 1000 to 1000 everything should be fine, but I think I missed something here and it would be great if some one can advice on how to resolve this without the hack.

Solution 4

You can also do this without LXD by editing the LXC config file directly:

# Container specific configuration
lxc.idmap = u 0 165536 1000
lxc.idmap = g 0 165536 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 166536 64535
lxc.idmap = g 1001 166536 64535

You also have to make sure that the container's user's account is given permission to map to uid/gid 1000 on the host by editing /etc/subuid and /etc/subgid:

containeruser:165536:65536
containeruser:1000:1

View more solutions

Mischa

Updated on September 18, 2022

Comments

Mischa over 1 year

I am trying to add favorites by following this instruction, but I cannot get the title to be read from the strings file. What am I doing wrong?

This is my getExtendedMetadata response:

<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://www.sonos.com/Services/1.1">
  <SOAP-ENV:Body>
    <ns1:getExtendedMetadataResponse>
      <ns1:getExtendedMetadataResult>
        <ns1:mediaMetadata>
          <ns1:id>album_track:17079|193549</ns1:id>
          <ns1:itemType>track</ns1:itemType>
          <ns1:title>Sabo &amp; Zeb - Sambafrica</ns1:title>
          <ns1:mimeType>audio/mp3</ns1:mimeType>
          <ns1:trackMetadata>
            <ns1:artistId>artist:1</ns1:artistId>
            <ns1:artist>Various Artists</ns1:artist>
            <ns1:albumArtistId>artist:1</ns1:albumArtistId>
            <ns1:albumArtist>Various Artists</ns1:albumArtist>
            <ns1:albumId>album:17079</ns1:albumId>
            <ns1:album>10 Years of SOL</ns1:album>
            <ns1:duration>451</ns1:duration>
            <ns1:albumArtURI>https://assets.s3.amazonaws.com/cover/30929/10.png</ns1:albumArtURI>
          </ns1:trackMetadata>
        </ns1:mediaMetadata>
        <ns1:relatedActions>
          <ns1:action>
            <ns1:id>add_track_to_my_library</ns1:id>
            <ns1:title>ADD_ITEM</ns1:title>
            <ns1:actionType>simpleHttpRequest</ns1:actionType>
            <ns1:simpleHttpRequestAction>
              <ns1:url>https://sonosdev.newmediasquad.com/v1/favorites/add/track/17079</ns1:url>
              <ns1:method>POST</ns1:method>
            </ns1:simpleHttpRequestAction>
          </ns1:action>
        </ns1:relatedActions>
      </ns1:getExtendedMetadataResult>
    </ns1:getExtendedMetadataResponse>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

And this is my strings file:

<?xml version="1.0" encoding="utf-8" ?>
<stringtables xmlns="http://sonos.com/sonosapi">
  <stringtable rev="20040502" xml:lang="en-US">
    <string stringId="ServicePromo">Welcome to YogiTunes!</string>
    <string stringId="LOGIN">Login</string>
    <string stringId="SIGNUP">Sign up</string>
    <string stringId="ADD_ITEM">Add to My Library</string>
    <string stringId="REMOVE_ITEM">Remove from My Library</string>
    <string stringId="ADD_SUCCESS">Added successfully</string>
    <string stringId="ADD_FAILED">Something went wrong. Please try again or contact us at [email protected].</string>
    <string stringId="REMOVE_SUCCESS">Removed successfully</string>
    <string stringId="REMOVE_FAILED">Something went wrong. Please try again or contact us at [email protected].</string>
    <string stringId="Error5Message">Retry token request.</string>
    <string stringId="Error100Message">Namaste!! Have some obstacles that need removing? Gan Gan Ganapataye! Contact us at [email protected] and we will get back to you as soon as possible.</string>
  </stringtable>

  [snip other languages]

</stringtables>

(full string file here)

But, this is what I see in the app:

Other strings are loaded correctly from the strings file. What am I doing wrong?

jgomo3 about 8 years

Is there a reason behind defining that mount entry as read only? Is that a good security practice to avoid a container to write back data to a shared filesystem?.
HRJ over 7 years

Worked for me. Note that the relative path used for share in the lxc.mount.entry is critical.
Sam Bull almost 7 years

Note that, that is the LXD documentation, not LXC. If you haven't installed LXD, then the lxc command won't work.
Sam Bull almost 7 years

You don't need to create the mount point, if you add ',create=dir' after 'bind'. I've also removed the 'ro,' part, and it seems to be working just fine.
0xC0000022L almost 6 years

@SamBull well, this is self-inflicted by the LXC/LXD team. LXC can be used to refer to liblxc (the underlying library) or to the LXD client (named lxd) as used in this answer or to LXC (the software and "old" toolset with the lxc-*-named tools) or to the project (where LXC is short for LinuX Containers). It's the reason I asked this question on the Unix.SE meta.
mcr over 5 years

what system processes/created /etc/subuid? Openwrt does not have that.
iBug over 4 years

But you can always chown from host.
Mischa about 4 years

Thank you. So, for now, I could just do <ns1:title>Add to My Library</ns1:title>? The app is in English only anyway.
yrg about 4 years

I think you'd have to use <ns1:title>Add_to_My_Library</ns1:title> as this resolves to a string in the strings.xml file and the bug prevents this from happening.
Mischa about 4 years

While the bug has not been fixed and I am unable lookup the string from the strings file, I want to show users the correct text without underscores. That's why I was thinking about using <ns1:title>Add to My Library</ns1:title>. Wouldn't <ns1:title>Add_to_My_Library</ns1:title> still show underscores to the user?
yrg about 4 years

I don't think the title value will work with spaces. You can try it and see. That's why I suggested the underscores. It's not the best experience, but it gets the point across.
Mischa about 4 years

Thanks. I tried <ns1:title>Add to My Library</ns1:title> and it worked.
yrg about 4 years

Thank you. I'll add that to the release notes. I'll update the above once this has been fixed.
bitinerant about 3 years

The above requires a privileged container, but for better security separation, you can instead use lxc config device ... shift=true and then, if you get the "isn't supported error", sudo snap set lxd shiftfs.enable=true && sudo systemctl reload snap.lxd.daemon and retry lxc config ....
Jorge Castro about 3 years

@bitinerant Feel free to just submit an edit to my answer to make it correct, thanks!