How to Connect an SMB share to Proxmox LXC

Privileged LXCs which become exposed to an intruder can allow root access escalation to the Proxmox host.  In order to maintain a secure posture within your Proxmox environment, unprivileged LXCs are the way to go but this can bring some added difficulties when wanting to add an SMB share to the container. 

The solution: mount to the Proxmox host and mount the share as a drive in the LXC.  I will give an example of adding three separate shares /data, /media, and /nas.  Adjust these based on your own configurations.

On the PVE host, run commands as root:  (change <to match your configurations>)

I am going to show how to add three separate SMB shares to an lxc

1. ### Create the mount point on the PVE Host ###
   • mkdir -p /mnt/lxc_shares/data
   • mkdir -p /mnt/lxc_shares/media
   • mkdir -p /mnt/lxc_shares/nas
     
     
2. ### Add NAS CIFS share to /etc/fstab. Adjust //NAS/nas/ to match your CIFS hostname/IP and share name ###
   • { echo ‘ ; echo ‘# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)’ ; echo ‘//<10.11.12.13/data> /mnt/lxc_shares/data cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=<Admin>,pass=<P@ssw0rd> 0 0’ ; } | tee -a /etc/fstab
   • { echo ‘ ; echo ‘# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)’ ; echo ‘//<10.11.12.14/media> /mnt/lxc_shares/media cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=<Admin>,pass=<P@ssw0rd> 0 0’ ; } | tee -a /etc/fstab
   • { echo ‘ ; echo ‘# Mount CIFS share on demand with rwx permissions for use in LXCs (manually added)’ ; echo ‘//<10.11.12.15/nas> /mnt/lxc_shares/nas cifs _netdev,x-systemd.automount,noatime,uid=100000,gid=110000,dir_mode=0770,file_mode=0770,user=<Admin>,pass=<P@ssw0rd> 0 0’ ; } | tee -a /etc/fstab
     
     
3. ### Mount the share on the PVE Host ###
   • mount /mnt/lxc_shares/data
   • mount /mnt/lxc_shares/media
   • mount /mnt/lxc_shares/nas
     
     

In the LXC, run commands as root:

1. ### Create the group with GID=10000 in the LXC to match the GID=110000 on the PVE host ###
   • groupadd -g 10000 <lxc_shares>
2. ### Add the user(s) that need access to the CIFS share to the group   ###
   • usermod -aG <lxc_shares> <plex / jellyfin / john>
3. ### Shutdown the LXC ###
   • shutdown -h now
     
     

Add a bind mount of the share to the LXC configuration

1. ### Adjust the LXC_ID at the end of the command for each share you want to add to the LXC ###
   • { echo ‘mp0: /mnt/lxc_shares/<nas_rwx>/,mp=/data’ ; } | tee -a /etc/pve/lxc/100.conf
   • { echo ‘mp1: /mnt/lxc_shares/<nas_rwx>/,mp=/media’ ; } | tee -a /etc/pve/lxc/100.conf
   • { echo ‘mp2: /mnt/lxc_shares/<nas_rwx>/,mp=/nas’ ; } | tee -a /etc/pve/lxc/100.conf
     
     
2. ### mp0-1-2 is the path on the proxmox shell, mp is the local mount point in the lxc ###
   
   
3. ### mp2=/mnt/lxc_shares/nas is the path in proxmox and mp=/nas is the path inside the container
   
   

EXTRA CREDIT – Add to your LXC docker-compose.yaml file!

1. ### Under Volumes add in the local lxc mount point ###
   ### Example docker compose file ###
   —

services:

  radarr:

    image: lscr.io/linuxserver/radarr:latest

    container_name: radarr

    environment:

      – PUID=0

      – PGID=0

      – TZ=America/Chicago

    volumes:

      – /arr/radarr/appdata:/config

      – /data:/data  # mp0: /mnt/lxc_shares/data/,mp=/data

      – /media:/media # ‘mp1: /mnt/lxc_shares/media/,mp=/media’

      – /nas:/nas # ‘mp2: /mnt/lxc_shares/nas/,mp=/nas’

    ports:

      – 7878:7878

    restart: unless-stopped

You can also point a specific folder in a share to the docker-compose file

1. ### external_mp:internal_mp ###
   • /media/movies/tv_shows:/tv_shows