Can't figure out container dataset permissions

Apps and Virtualization
1

Hello all,

I have a fairly new Truenas scale 25.10 setup. I’m trying to figure out containers on it because there are some very useful tools for nas systems missing from truenas scale. I really wish I could just have these tools in the core system and not use a container, so that I can manage scripts and such all through the UI and not have to go to a container to configure some scripts and the UI to configure others. I can do install-dev-tools to fix it and add the tools to the base system, but seems the “proper” method is to use containers. So, I’m trying to figure out how to set that up so I don’t have to worry about an update breaking all my scripts when install-dev-tools gets disabled or something. However, I cannot seem to figure out dataset permissions for containers.

I set up a container using the ubuntu noble image. For disks I passed my /mnt/storage/ dataset in as /mnt/storage on the container as well. I have a child dataset /mnt/storage/scripts. I see the scripts folder under /mnt/storage on the container, however if I go into it I can’t see any of the files.

In the documentation under containers it just says this:

To grant container root access to host data:

Assign permissions on the host dataset to the truenas_container_unpriv_root user.

Access the dataset from inside the container as root.

When the container root accesses the path, it uses the host permissions of truenas_container_unpriv_root.

But, no clear instructions on how exactly to do that. If I go to my datasets and look at the storage/scripts dataset, I have it configured right now where it’s owned by root and the group is shareusers. Both with full permission. Other currently has read and execute.

I don’t see any way to grant this “truenas_container_unpriv_root” user permissions using this method. If I go to Credentials and look up the unpriv_root user, it won’t let me add shareusers to the auxillary groups like I do for my other users that can access this. It errors saying

[EPERM] Users provided by a directory service must be modified through the identity provider (LDAP server or domain controller).

Even though I’m not using an LDAP server or domain controller. So, I don’t really know what it’s talking about there.

So, I thought maybe I have to do it through an ACL on the dataset. I’m not familiar with ACLs at all. But I tried configure the ACL anyway. I started with a POSIX_RESTRICTED template.

User obj - default - root = Read write execute default
Group obj - default - share users = read write execute default
Other - default = None
User obj - root = read write execute
Group obj - share users = read write execute
Other = none

So, then I tried adding
User truenas_container_unpriv_root = read write execute

It complains about
Named (user or group) POSIX ACL entries require a mask entry to be present in the ACL.
Don’t really understand what a mask entry is but I add a mask entry and give it read write execute just to see if I can get it working. Nope, still can’t see any files under this dataset in the container.

So maybe I need to apply the ACL recursively? I try that, and still no. Still can’t see any of the files under the dataset.

I’ve tried various other ACL entries in multiple different configurations and can’t find anything that works.

So, I’m really confused on how to set these permissions so that I can access these files from within the container. I have this dataset and one other that will need full read / write / execute permissions in the container to be able to run the scripts that I’m wanting to run.

Any advice would be greatly appreciated.

2

usually adding thre truenas_container_unpriv_root user and giving it the permissions, applying the m recursively and for child datasets should do the trick.
And if you find posix acls too confusing, try switching to nfsv4 acls, I personally find them easier to understand and configure…

3

So, I tried switching to NFSv4 ACL that still didn’t work.

I think I may have figured out how to make it work though, although I’m not 100% sure why.

If in the container I add /mnt/storage/scripts to /mnt/storage/scripts instead of /mnt/storage to /mnt/storage, it seems to work. I can see the files, I can write to the folder. if I add /mnt/storage to /mnt/storage at all (even if I have /mnt/storage/scripts added separately, it will not work).

Only thing I can think of is if I add /mnt/storage it is only using the ACL from the storage dataset and not the child scripts dataset. And Truenas will not allow modifying the permissions on the root dataset, so I can’t add ACL permissions there.

kind of annoying and different from what I’m used to on the nas system I’m coming from. Makes it very very inconvenient when you have 30 datasets and there are cases where you want to share something that has access to all 30 datasets. Truenas will not even allow creating a share on the root dataset. So, instead of adding one share like I’ve done in the past, I have to add 30 lol.

4

Well, I guess I spoke too soon. I thought it was working now, and it is, for any files immediately under the child dataset. But if there is a folder then I get permission denied if I try to cd into it… and I tried applying the ACL recursively multiple times :frowning:

For example another dataset I configured is /mnt/storage/downloads. I configured the ACL exactly the same way I did for /mnt/storage/scripts. In the container, I can go to /mnt/storage/downloads and access a file test.txt, I can change the file and write it. I can mkdir test to create a folder named test and go into that folder as well as write to files inside it. But, an existing folder “transfer” just tells me Permission denied if I try to cd into it.

If I go back to my ACL and give other the execute permission, I can cd into the transfer folder, but ls -la in that folder gives Permission denied. One more thing I tried was giving Other read and execute permissions and now I can ls -la on the folder in the container.

So… for some reason, all of the subfolders in a dataset are going off the other permission rather than the truenas_container_unpriv_root permission. Leaving me still thoroughly confused. I don’t want to open up my datasets to full control to any user, that is terrible security…

5

according to the truenas docs this are the permissions that should be set:

Users can grant root permissions to containers and instances through an unprivileged root account using the ACL editor in the UI or the TrueNAS API.
To ensure functionality, add an ACE for the truenas_container_unpriv_root user and assign the appropriate permissions (such as Read, Modify, and Execute).
For container environments, verify that the ACL includes an entry for truenas_container_unpriv_root with the required access to any dataset paths used by the container.
See Granting Root Access to Host Paths for more information.

That’s all i did for my lxc and it’s working fine :confused: