I’ve begun testing Containers on my Goldeneye server to start the process of validating if it would be possible to migrate all my jails from my main server still running Core. I’ve run into a roadblock I was hoping someone might know what to do or if there is anything I can do. The permissions for mapped folders within a container have their permissions changed to nobody [65534]:nobody [65534] and are inaccessible within the container by even its root user.
e.g. Before ‘Disk’ mapping the containers folder /var/www/nextcloud/config/ user:group are www-data [33]:www-data [33]. The permissions for the dataset in the pool being mapped to are set to www-data [33]:www-data [33]. Onced mapped and the container started again the permissions for /var/www/nextcloud/config/ become nobody [65534]:nobody [65534].
I spun up a 26 nightly build test server and got the same result so it isn’t just 25.10…
I don’t see any setting to change the permissions for these mapped folders. Besides the mapped folder should keep the permissions of the datasets it is pointing just like Core does.
Any ideas? Or should I be submitting an issue in Jira
There’s a bulidin user called truenas_container_unpriv_root which is automatically mapped to the root user inside the lxc. If you add that user to your datasets acl list the root user inside the lxc should have permissions. Other then that. you can create a new user insdide the lxc and map that to an existing user from truenas.
On the container screen top right corner if you go on configuration and then “map user/group ids” you can map them.
Ahhhh…. Should have read the release docs all the way through - head slap. Thanks for the push in the right direction → ACL’s set and all users & groups required that are not existing to both have been UID mapped as well. So far things looking like containers will be a great Jail replacement. Any idea if they are going to build in features equivalent to iocage export?
well the container backend for lxc will change in truenas 26 from incus to libvirt and afaik there ara not much information around as of now what will be possible with libvirt. I don’t have a machine i can use to test the beta so im kinda hesitant to update my 25.10 install to the beta
The interface for Containers does look a little different between the 2. 26 should hit Beta soon so I should probably run some tests on it too.
FYI - as soon as I could access the mapped folders within the container by giving truenas_container_unpriv_root access to the dataset I was able to set the unix permissions to what was needed within the containers shell using chown. It set some interesting permissions when looking at the dataset in the TrueNAS interface → owner and group is now 2147000034. I’m assuming it has done some mapping internally.
Yes. That’s normal linux idmap shifting. Containers and host OS by default in truenas have separate namespaces for unix IDs. This helps with security. We have a few mechanisms to pierce the veil (make selected user-defined users / groups in host keep their ID in container) or simply disable in its entirety. In 26 we also allow option for particular containers to operate in entirely disjoint ranges from other containers and host.
