Linux ownership: Do I have to have all the same users & UIDs across all my CTs & host in Proxmox?

[el_pedr0]

Basic question for the Linux folk. I'm sharing a ZFS dataset from a host (which currently only has the root user) with an ubuntu 16.06 container that has actual (non-root) users.

I.e. I bind-mount /rpool/files in the host to /media/files in the container.

Within that mounted dataset I want user pete to own the directory /media/files/pete and I want user paul to own the directory /media/files/paul.

At first, within the container, ls -al shows that /media/files/pete and /media/files/paul are owned by root:root

So in the container, I chown -R pete: pete /media/files/pete and similarly for paul

Now ls -al shows that /media/files/pete is owned by pete: pete and similarly for paul. All good.

However, in the host, ls -al shows that /rpool/files/pete is now owned by 1001:1001 and /rpool/files/paul is owned by 1002:1002.

Eek! What if I were to subsequently add an unrelated user fred to the host system that happened to be assigned the uid 1001. Would that mean that that /rpool/files/pete would now be owned by fred:fred on the host? And more realistically, if I share that dataset with another container that has different users and uids, would some random user own /media/files/pete on that other container?

What is best practice here? Do I need to set up all my containers and host to have the same set of users, and ensure that the UIDs are the same across the board?

 

[ttabbal]

In short, yes. Make them all the same. There are some ways to manage that like LDAP or NIS. I don't have many accounts, so I just make them all on the primary host, then copy the user records from /etc/passwd around so they all line up. Generally, I don't have account in the containers that need access to data. For example, I have a "media" account for plex and similar containers. All the containers need is that one account. As sharing is managed in the host, there's a group for people to have read access to the media files from there. To avoid conflicts, you can manually assign UID/GID up higher when creating the users.

Another option is to try to avoid cross-container accounts by creating a ZFS dataset and only mounting it in the host and one container. Then that container is the only container to have access, so accounts can't be cross-contaminated.

IF this is for an enterprise type environment, use a directory server. It's far more secure and easier to maintain.

 

[Continuum]

The problem that you are encountering is the reason I opted to create a freeipa container for user management even though my proxmox server is in a home environment. Freeipa is easy to setup and is supported, at least as a client, in Ubuntu containers. The freeipa server can also serve as your DNS server. A possible added bonus might be that using freeipa should make the transition to unprivileged containers in the future much easier because of consistent user IDs across containers.

If you opt to setup a freeipa server container and want some guidance, I'll post the steps to create such a container. (I've been meaning to do this in my build thread, but have yet to find time.)

 

[el_pedr0]

Thanks to you both.

@Continuum I'll read up on FreeIPA. Guides are always very much appreciated - even if people like me don't always remember to reach out and thank the authors. Having followed countless guides for different parts of my setup, it's like my server and home set up has been crafted by a team of specialists.

I've actually only got about three or four real users, then I guess I'll have a few use-specific users like ttabbal's 'media' user above. Is setting up FreeIPA a bit overkill for such a basic setup? Would a FreeIPA CT require many resources?

@ttabbal - From our previous conversations, I started down the route of doing all the sharing from the host. But because I'm still making a load of schoolboy errors, I quickly messed up the host and ended up reinstalling. So until I'm a bit more practised at it, I've decided to leave the host as virgin as possible and create an ubuntu container to act as the samba server. That way, if I screw it up, it's so easy just to nuke that container and start again. Though I recognise the downside is that I'll have to bind mount all the zfs datasets (I still need to get my head around how to do the nested ones - afterall, Proxmox will need a mount point to bind a child dataset when booting up a container, but I can't create a mount point for a child dataset until the parent has been mounted. Hmm - maybe it will be clearer when I actually try it). As far as users go though, I'm comfortable with creating all the users on the host - I don't think I can cock that up too much.

One thing that I'm still slightly confused by though... In a normal ubuntu install on a physical machine, it creates that initial user with sudo permissions instead of allowing root to login. Although this doesn't happen when using a template for a container, I assume it would happen if setting up a full VM. As I don't have any control over the uid of this ubuntu admin user, if I were to set up a number of ubuntu VMs, how would I keep those ubuntu admin users in sync with the configuration in /etc/passwd on the host?

 

[el_pedr0]

If you opt to setup a freeipa server container and want some guidance, I'll post the steps to create such a container. (I've been meaning to do this in my build thread, but have yet to find time.)

Oh dear, it looks like I'm falling at the very first hurdle. The FreeIPA deployment recommendations state:
"We strongly recommend that you do not use a domain name that is not delegated to you, even on a private network"
Does that mean I first have to purchase a domain name?

 

[ttabbal]

I think the idea is to avoid using someone else's domain name. A common option is to use ".local" on the end to avoid conflicts.

 

[TuxDude]

No - you don't have to purchase a domain name. Just make one up that you are sure won't ever actually be a real public domain name and then you don't have to worry about the "not delegated to you" part. Say.... el_pedr0.local And all your internal hosts are then named "host1.el_pedr0.local", etc.