Root has no permission writing from a LXC container

[Jonathan137]

Situation
On Proxmox within LXC 100 being user 1000 I can read and write to both /mnt/storage as /mnt/music
Being the root within the LXC I can read and write to /mnt/music but only read from /mnt/storage
If I make a folder with 777 as permission, I can write a file as root within the LXC in that folder showing the owner root:root of the file
Being on proxmox level self I can write as root to /mnt/storage.

Who knows what goes wrong or what is missing?

My configuration:
mergerfs v2.40.1

fstab
LABEL=disk81 /mnt/pool/disk81 ext4 nofail 0 0
LABEL=disk82 /mnt/pool/disk82 ext4 nofail 0 0
LABEL=disk61 /mnt/pool/disk61 ext4 nofail 0 0
LABEL=disk62 /mnt/pool/disk62 ext4 nofail 0 0
LABEL=disk63 /mnt/pool/disk63 ext4 nofail 0 0
LABEL=disk43 /mnt/pve/music ext4 nofail 0 0
/mnt/pool/disk81:/mnt/pool/disk82:/mnt/pool/disk61:/mnt/pool/disk62:/mnt/pool/disk63 /mnt/pve/storage fuse.mergerfs defaults,allow_other,category.create=mfs,minfreespace=100G,use_ino,dropcacheonclose=true,ignorepponrename=true,moveonenospc=true 0 0

/etc/pve/lxc/100.conf
features: keyctl=1,fuse=1,nesting=1
mp0: /mnt/pve/storage,mp=/mnt/storage
mp1: /mnt/pve/music,mp=/mnt/music
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101000 64534
lxc.idmap: g 1001 101000 64534

[trapexit]

You are using idmap. That information is not passed into mergerfs. root in the container is not actually root. It is whatever the mapped uid is. You therefore have to account for that. I mention it here in the docs.

You can trivially confirm identity by creating a directory like /tmp with 1777 perms and then create a new file as the user in question.

[trapexit]

Yes, those docs are about running mergerfs inside a container but the concept is the same. I'll add a section more explicit about this. I mention it in passing here too but deserves its own section.

[Jonathan137]

Thanks for the fast response.
You are right the owner shows as 100000:100000

[trapexit]

I'm not familiar enough with LXC to comment on this situation but the particular uid value is not relevant to mergerfs. There is no id mapping within mergerfs at the moment. The kernel just tells mergerfs the uid and gid of the requester and that's what we change our thread's credentials to. If that value isn't 0 (actual root) then you will need to manage permissions normally. I suppose I could add some sort of id mapping but i'm not sure that is a great idea. At that point you probably should just not use user namespacing.

[Jonathan137]

My conclusion is to run the LXC as privileged or use a single drive if root write access is needed from within a LXC container. Thanks for the fast support and thinking along with me!