Adding a shared host directory to an LXC/LXD Container

The instructions on https://wiki.gentoo.org/wiki/LXD that you mention are correct but may need a bit more explanation.

On the host you first check the ownership of the directory in which the container data is stored. Run

sudo ls -l /var/lib/lxd/containers

and check the owner of the container you would like to share the directory with. In my case the uid and gid both were 100000.

Next, use these to change the ownership of the directory you want to share:

sudo chown 100000:100000 /tmp/share_on_host

Share the directory with the container in the way you indicated in your comment:

lxc config device add mycontainer sharedtmp disk \
                  path=/tmp/share_on_guest source=/tmp/share_on_host

Now, in the container, you will see that the directory /tmp/share_on_guest (I wouldn't advise to mount your directory as /tmp because that is used by the system for other stuff and has special permissions) is owned by root. From here on you can use chown in the container to change the ownership to the appropriate uid and gid for your user in the container.

As a side note, after changing the ownership in the container to e.g. a user with uid 33 you will see on the host that the uid there is now 100033, which makes total sense.


Here is an updated answer to this question.

Mount the host folder /var/www as /var/test in the container.

lxc config device add mycontainer vartest disk source=/var/www path=/var/test

You can assign additional devices to the container, and these can be host-accessible folders.

$ lxc config ## display help
...
lxc config device add [<remote>:]<container> <device> <type> [key=value...]
    Add a device to a container.
...

Note that <device> is just an arbitrary name that you assign, which will be used as an ID for subsequent device management.

For example, to mount the host folder "./host" as "/mnt/host" in the container...

lxc config device add mycontainer vartest disk source=$(pwd)/host path=/mnt/host

There remains one problem -- if you want this folder to be writable by both the host and the container, the ownership and permissions need to be configured accordingly. This is complicated by the default mode of LXD which virtualizes the numeric ranges for user and group id values. There is an easy solution, however: bypass this virtualization by configuring the container to run with host-equivalent privileges...

lxc config set <container> security.privileged true

The full host-security implications of this approach are unclear to me at this time, but would seem to be somewhat "contained" by the virtualization. The practical risk depends on how and why you will be using the container. See technical notes at https://insights.ubuntu.com/2017/06/15/custom-user-mappings-in-lxd-containers

Further note that this approach probably works best if you normally operate in the container as a non-root user, such as if you attach with...

lxc exec zesty -- su --login ubuntu
  • Additional notes on configuration: https://help.ubuntu.com/lts/serverguide/lxd.html

Tags:

Lxc

Lxd