Correcting umask/file permissions for Unix CIFS mount points.

Today I had a very interesting issue, where a file created from a Proxmox container had incorrect permissions on the host server.

The typical umask in linux is 0002, but for the Proxmox root user it's 0022. This means files created with this user will have it's group permissions restricted to read only.

We could fix this by setting the umask on the Proxmox root user, but that could have severe and unintended consiquences (messing with root user perms never ends well). Instead, we look to smb.conf

Samba Config

I'm running Ubuntu to share the CIFS, and using "net usershare" to share the mount. We can set a global config, so that any files written to the mount will have the same default permissions that files created from the host have.

I simply uncommented and tweaked these lines in /etc/samba/smb.conf

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0664

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0775


 And finally don't forget to reload.

sudo systemctl reload smbd


Now files have the correct permissions (664) instead of user only read (744).

-rwxr--r--  1 nobody nogroup          0 Dec  3 20:24  test4.txt*
-rw-rw-r--  1 nobody nogroup          0 Dec  3 21:07  test5.txt

Creating Bind Mounts in Proxmox and CIFS

UPDATE

Do NOT do this. If a CIFS Mount is unavailable, the container will fail to start on boot/reboot. Instead, I would recommend creating the CIFS mount in the container. It's not as efficient, but at least the container will boot if the mount is unavailable.

Original Post Follows

Bind mounts allow us to mount arbitrary host directories in containers. This is useful if we need an container to have access to files on a host filesystem.

If you need the container to have WRITE privilege, create it as a privileged container. The default setting is unprivileged, so make sure you plan ahead. There are ways to allow unprivileged containers to write bind mounts, but I've spent too much time trying to figure it out, and this was much easier.

In my case I'm interested in using CIFS shares from inside a container. We can do this in two steps.
1) Set up the CIFS on the proxmox host
2) Set up the bind mount on the container

Setting up CIFS

I like to use autofs for network mounts.

# Install CIFS and autofs
apt install cifs-utils
apt install autofs

# Configure autofs
echo "/mnt/servername /etc/auto.servername --timeout 0" >> /etc/auto.master
echo "mountpoint -fstype=cifs,rw,guest ://servername/mountpoint" >> /etc/auto.servername

The above will add lines to autofs config in order to mount our mountpoint. This assumes you already have CIFS running and allows "guest" users. Replace the mountpoint and servername parts as appropriate.

Setting up Bind Mounts

# Create Container Bind Mount
pct set 106 -mp0 /mnt/servername/mountpoint,mp=/mnt/containerfolder

We must use the CLI in order to create proxmox bind mounts. Bind mounts are not currently supported in the GUI. The above creates mount point 0 "mp0" for container 106 (change the number to match your container), maps the host directory (/mnt/servername/mountpoint) autofs CIFS share we just set up to a directory in the container (/mnt/containerfolder).

Now if we launch the container, we can list /mnt/containerfolder and see the contents of our CIFS share.

Bind mounts will work with any directory, and can be mapped to any directory on the container. So be careful because there are security and data integrity implications when you do this. The safest practice would be to only mount directories that are in /mnt on the host and map them to /mnt in the container.

Proxmox Postfix Gmail Setup

https://www.reddit.com/r/homelab/comments/5nzmm3/setting_up_the_proxmox_email_alerts/dcfihdw/

https://www.linode.com/docs/email/postfix/configure-postfix-to-send-mail-using-gmail-and-google-apps-on-debian-or-ubuntu/

Proxmox Firewall and Isolating VMs

It's pretty common to want to isolate VMs. In applications like virtualbox, VMs are only able to interface with the host in a very limited manor. You must intentionally create interfaces with the host or other computers on the network.

In Proxmox, everything is wide open by default. It uses a model of most trust, instead of the model of least trust.

In order to lock down a VM in Proxmox, we need to limit how it can interface with other components on the network. This is where a firewall comes in. There are a lot of "solutions" to this problem that say, "just install a pfsense VM". This can be useful and informative, but also overkill. Especially when Proxmox comes with the needed capability, and at an arguably less steep learning curve.

Quick Overview

The firewall must be enabled at all three levels in order to function. That's Datacenter, Node, and VM.

The default policy is inbound drop, outbound accept. You may want to tune these at a given level as appropriate for your environment.

We can create rule templates to help us configure policy on individual nodes or VMs using the Datacenter -> Firewall -> Security Group feature.

This is enough info for someone who knows about firewalls to get started. What follows is more detailed instructions.

Enable Proxmox Firewall

First we need to enable the firewall in Proxmox. In order to have a VMs use it's own defined set of rules, the firewall needs to be enabled at every level. That would be Datacenter, Node, and VM.

Datacenter

Under "Datacenter"
Click on "Firewall" -> "Options"
Select "Firewall" in the list
Click the "Edit" button
Check the box
Click "OK"Here I've also changed the Input Policy (Default: "DROP") to "ACCEPT", allowing access from anywhere on my network. This ensures that other services I'm already using don't break. Ideally I would create a FW rule to allow each specifically.

Node

Under
Select "Firewall" -> "Options"
Select "Firewall" in the list
Click on "Edit"
Check the box
Click "OK"

VM

Under the VM
Select "Firewall" -> "Options"
Select "Firewall" from the list
Click on "Edit"
Check the box
Click "OK"

Using a Security Group Firewall Policy

I want to make sure this VM is unable to communicate with anything on the host, or network, but still needs access to my DNS server, DHCP, and the internet.

We can set up these rules under "Datacenter" -> "Firewall" -> "Security Groups"
First we create a group for our rules, then we can add rules.

Under "Create" we simply give the group a name. I called mine "fw-vm-isolate".

When you "Add" rules, the interface is a familiar form with all the firewall address and port options. Fields may be left blank, enabling rules to match a broad definition of traffic.

Rules may be reordered. They are effective from top to bottom. First match wins.

Here is my config, it allows NFS connections to the Proxmox Host. It Allows DNS to my DNS server. Finally, it denies all other traffic to any other LAN IP. This means it can still connect to the internet, but can not reach any local computer.

DHCP is still allowed because the VM can still send broadcast messages, and will get a reply from the DHCP server.

Finally, we apply the security group to our VM. Using "Insert: Security Group" in the VM Firewall settings.