Sharing CIFS mount with unprivileged LXC in Proxmox

Inside the LXC

Create the group lxc_shares with GID 10000 inside the LXC container:

groupadd -g 10000 lxc_shares

Add the user(s) from the LXC container that need access to the CIFS share to the group lxc_shares:

usermod -aG lxc_shares USERNAME

Shutdown the LXC.

On the Proxmox host

Create the mount point on the PVE host.

mkdir -p /mnt/media

Add it to /etc/fstab:

//NAS/media/ /mnt/media cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=smb_username,pass=smb_password 0 0

Mount the share on the PVE host:

mount /mnt/media

Add a bind mount of the share to you container config, e.g: /etc/pve/lxc/LXC_ID.conf:

mp0: /mnt/media/,mp=/mnt/nas

Using mp0 disable snapshoting for the LXC container. To fix this you can instead share the mount using lxc.mount.entry:

lxc.mount.entry: /mnt/media/ mnt/media none bind 0 0

Now you just need to start the LXC.

How does this work?

We mount the CIFS share to the UID that belongs to the unprivileged LXC root user, which by default is always uid=100000. Then we create a group in our LXC (lxc_shares) with the gid=10000 which refers to gid=110000 on the PVE host.

This is how the mapping will be done:

Proxmox Backup Server

If you have any errors while trying this setup using a shared mount to your backups using PBS (like I did), you can just fix it by changing the uid/gid of the share to the backup user inside the PBS:

//NAS/media/ /mnt/media cifs _netdev,x-systemd.automount,noatime,uid=100034,gid=100034,dir_mode=0770,file_mode=0770,user=smb_username,pass=smb_password 0 0

This will allow access rwx to the backup user from PBS and the mapping will be: