Last active
July 31, 2023 11:17
-
-
Save FenixC4/f261e8d30af6562830f02ca4217f2526 to your computer and use it in GitHub Desktop.
Revisions
-
FenixC4 revised this gist
Jul 30, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -10,7 +10,7 @@ Use volume as container mount point. Use the special syntax STORAGE_ID:SIZE_IN_G [more here](https://pve.proxmox.com/pve-docs/pct.1.html) 2. Character devices (serial device example) In this situation all we have to do is to create a suitable [udev rule](https://man7.org/linux/man-pages/man7/udev.7.html) which will set owner and group of our /dev/tty device to 100000 and 100000. A built in utility called [udevadm](https://man7.org/linux/man-pages/man8/udevadm.8.html) is very helpfull in creating udev rules. I suggest `udevadm info /dev/(your device)` or `udevadm info -a /dev/(your device)`. Here is an example of such a rule ~~~ KERNEL=="ttyCH343USB0", SUBSYSTEM=="tty", MODE="0664", GROUP="100000", OWNER="100000" ~~~ -
Jul 30, 2023 . 1 changed file with 4 additions and 4 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,19 +2,19 @@ Recently I have been on a journey to use block devices like a HDD partition in u After many different methods and struggels i have come to a, in my opinion balanced resolution. 1. Block devices Here my solution is to create a mount directory and changing it's ownership to 100000:100000. Those settings translated to lxc container permissions make it be owned by root:root, because every uid and gid in container in Proxmox by default is created by adding 100000 to it's original uid and gid [more here](https://pve.proxmox.com/wiki/Unprivileged_LXC_containers). Mounting of course can be achieved by manually mounting for example /dev/sdc2 in /mnt/storage which has correctly set ownership or adding a new rule in [/etc/fstab](https://man7.org/linux/man-pages/man5/fstab.5.html). After all that a mount point can be added to container's configuration file ~~~ --mp[n] [volume=]<volume> ,mp=<Path> [,acl=<1|0>] [,backup=<1|0>] [,mountoptions=<opt[;opt...]>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>] Use volume as container mount point. Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume. ~~~ [more here](https://pve.proxmox.com/pve-docs/pct.1.html) 2. Character devices (serial device example) In this situation all we have to do is to create a suitable [udev rule](https://man7.org/linux/man-pages/man7/udev.7.html) which will set owner and group of our /dev/tty device to 100000 and 100000. A built int utility called [udevadm](https://man7.org/linux/man-pages/man8/udevadm.8.html) is very helpfull in creating udev rules. I suggest `udevadm info /dev/(your device)` or `udevadm info -a /dev/(your device)`. Here is an example of such a rule ~~~ KERNEL=="ttyCH343USB0", SUBSYSTEM=="tty", MODE="0664", GROUP="100000", OWNER="100000" ~~~ When our rule is ready we can add a mount entry in container's configuration file. This time it's done by an [lxc configuration](https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html). Here is an exaple of such a line: ~~~ lxc.mount.entry: /dev/ttyCH343USB0 dev/ttyCH343USB0 none bind,optional,create=file 0 0 ~~~ -
Jul 30, 2023 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,21 @@ Recently I have been on a journey to use block devices like a HDD partition in unprivilaged containers safely. After many different methods and struggels i have come to a, in my opinion balanced resolution. 1. Block devices Here my solution is to create a mount directory and changing it's ownership to 100000:100000. Those settings translated to lxc container permissions make it be owned by root:root, because every uid and gid in container in Proxmox by default is created by adding 100000 to it's original uid and gid [https://pve.proxmox.com/wiki/Unprivileged_LXC_containers](more here). Mounting of course can be achieved by manually mounting for example /dev/sdc2 in /mnt/storage which has correctly set ownership or adding a new rule in [https://man7.org/linux/man-pages/man5/fstab.5.html](/etc/fstab). After all that a mount point can be added to container's configuration file ~~~ --mp[n] [volume=]<volume> ,mp=<Path> [,acl=<1|0>] [,backup=<1|0>] [,mountoptions=<opt[;opt...]>] [,quota=<1|0>] [,replicate=<1|0>] [,ro=<1|0>] [,shared=<1|0>] [,size=<DiskSize>] Use volume as container mount point. Use the special syntax STORAGE_ID:SIZE_IN_GiB to allocate a new volume. ~~~ [https://pve.proxmox.com/pve-docs/pct.1.html](more here) 2. Character devices (serial device example) In this situation all we have to do is to create a suitable [https://man7.org/linux/man-pages/man7/udev.7.html](udev rule) which will set owner and group of our /dev/tty device to 100000 and 100000. A built int utility called [https://man7.org/linux/man-pages/man8/udevadm.8.html](udevadm) is very helpfull in creating udev rules. I suggest `udevadm info /dev/(your device)` or `udevadm info -a /dev/(your device)`. Here is an example of such a rule ~~~ KERNEL=="ttyCH343USB0", SUBSYSTEM=="tty", MODE="0664", GROUP="100000", OWNER="100000" ~~~ When our rule is ready we can add a mount entry in container's configuration file. This time it's done by an [https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html](lxc configuration). Here is an exaple of such a line: ~~~ lxc.mount.entry: /dev/ttyCH343USB0 dev/ttyCH343USB0 none bind,optional,create=file 0 0 ~~~ And it all would be to rainbowy if it worked. The catch is it works untill a device is disconnected and reconnected, at that point it looses all it's permissions inside the container and is unusable. The only known to me workaround is to create a privilaged container or simply reboot the container