[pve-devel] Bind Mount Points vs Device Mount Points

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Mar 12 08:06:07 CET 2018 

On Sat, Mar 10, 2018 at 04:09:45PM +0100, Nils Privat wrote:
> Hello,
> 
> recently i wanted to mount some directories, managed by the host, into an
> lxc.
> I opened up the "resources" -> add -> mount point:
> 
> Here i was a bit confused. Is the GUI mask mixing up bind and device mounts?
> I guess the two entries "Storage" and "Disk Size" are only important if i
> want to mount a device, but i just want to mount a folder, there is not
> possibility to select none "storage" and type in the folder-path
> instead.... so my solution was to manually edit the conf with something
> like that:
> 
> mp0: /mnt/bindmounts/shared,mp=/shared/folder1 in /etc/pve/lxc/100.conf

there are three kinds of mountpoints for containers in PVE:

- storage backed mount points[1]
- bind mount points [2]
- device mount points [3]

only the first is really managed by PVE (in the sense of that it is
possible to allocate volumes and configure them as mount points, there
is a permission system, you can free the volume again via our Storage
API, make snapshots and clones if the storage supports it, etc).

you are referring to such storage backed mount points, not device mount
points (a device mount point means mounting a host block device directly
into the container).

bind and device mount points can be configured manually via the config
file or the API, but only as root at pam user (for the pretty obvious
security imnplications - they allow access to almost arbitrary
hypervisor directories and block devices!).
> 
> It works great, even with option ro=1, I just had to create the dir
> /shared/folder1 inside the container first.
> So maybe i misunderstood the GUI, but for me, it would be great if the GUI
> explicit distinguish between device mount and bind mounts. Or how can i
> "bind mount" and no "device mount"?

options which are limited to the root user are usually not available via
the GUI. this is also true for bind and device mount points.

I did have plans at some point to make bind mounts configurable via the
Storage API (which would allow the admin to setup "allowed" bind mount
paths as root at pam, and then give permissions to regular users to
configure them in their containers just like for other storages). it
would only really be helpful for the use cases of frequent container
regeneration or bind mounting into multiple containers. and it's still
only an idea on my TODO list unfortunately ;)

1: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_storage_backed_mount_points
2: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_bind_mount_points
3: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_device_mount_points

More information about the pve-devel mailing list