Yes! Sorry about that. I should have been more specific.
So reviewing what we know based on what’s already been posted…
Viewpoint from each device …
NFS mount in Syncthing LXC VM:
-rw-r--r-- 1 linesquarecube nogroup 669815 Aug 28 20:04 testfile
-rw-r--r-- 1 1002 65534 10 Sep 3 23:16 testfile
Linux laptop:
-rw-rw---- 1 lincesquarecube users 669815 Aug 28 20:04 testfile
-rw-r--r-- 1 101002 100 10 3. Sep 23:16 testfile
As you already know, in order to avoid collisions, user and group IDs inside a LXC container are mapped to IDs that are offset by 100000 on the host side (on the host, /etc/subuid
and /etc/subgid
sets the subordinate IDs).
So the output above looks as expected with the files created on the NFS mount by Syncthing in the LXC container having an offset UID of 101002 (100000 + 1002) from the viewpoint of the PVE host.
It was once common for regular user accounts to start at UID:GID 100:100
, but as the number of network services and need for better security by not running every daemon under root
increased, the default starting point for regular user accounts shifted to 1000:1000
. The reason I mention this little bit of UID:GID history is that it helps interpret the mix of UIDs and GIDs above.
Since your laptop happens to have a “users” group with ID 100, ls -l
didn’t end up showing just a number when listing the details for testfile
.
At the same time, inside the Syncthing LXC VM, files created under the NFS mount attempt to be assigned 1002:1002
(assuming the GID is 1002
).
The other clue is Syncthing LXC VM’s view of the NFS mount where the UID:GID for testfile
is 1002:65534
. It means that the OMV VM didn’t have a match for GID 1002
, so NFS defaults to assigning it 65534
which is almost always the group named “nogroup” or “nobody”.
Inside the OMV VM, on the USB drive shared via NFS:
-rw-r--r-- 1 101002 100 10 3. Sep 23:16 testfile
The output above aligns with what the laptop sees, and not unexpected given what /etc/exports
says.
/etc/exports …
Because NFS allows bunching together all of the access control entries for an exported filesystem on a single line, or breaking them up into separate lines, I’ve split the lines and reordered them to make things easier to read, compare, and follow, but otherwise it’s verbatim.
I’m also ignoring the lines that export read-only shares since if the device mounting it cannot change anything, file ownership is OMV’s responsibility.
First, it could have been due to the copy-and-paste, but the original “/export/Dokumente” line is incomplete. It’s missing at least 2 characters and the >
shouldn’t be there at the end of the line.
So looking only at the read/write NFS shares:
/export/Bilder 192.168.188.101/32(fsid=311b5c9c-3eb3-4952-99c2-355d886a45f3,rw,anongid=100,insecure,rw,subtree_check)
/export/Dokumente 192.168.188.101/32(fsid=ee829be4-a557-4ff0-bb18-7960da2e60f1,rw,anongid=100,insecure,rw,subtree_check)
/export/Dokumente 192.168.188.2/32(fsid=be641583-0531-4b15-aa84-1ed0b3f3a70e,rw,anongid=110000,anonuid=110000,insecure,rw,subtree_check)
/export/Pixel4a 192.168.188.101/32(fsid=6b29532c-4c5c-4c23-85c2-c0f6608bce49,rw,anongid=100,insecure,rw,subtree_check)
/export/Pixel4a 192.168.188.2/32(fsid=3b3daa08-1b4c-42dc-ac6b-3b1f2321bec9,rw,anongid=110000,anonuid=110000,insecure,rw,subtree_check)
To be honest, the UID/GID assignments above are a bit of a mess.
It’s not currently clear why the anonymous UID/GID is set to 110000 in some instances (it doesn’t match Syncthing’s subordinate UID/GID), while in other instances only the anonymous GID is set to 100
(which equates to “users” on the laptop and perhaps also in OMV).
In OMV, for /export/Dokumente
, NFS is told to assign all newly created files and directories GID 100
due to the anongid=100
option being declared. The applies to when anonuid=110000
is used it assigns the UID 110000
to all files.
(The “anonuid” and “anongid” options basically override whatever ownership is being sent over the wire.)
Also for /export/Dokumente
, hosts 192.168.188.101 and 192.168.188.2 have different anonuid
and anongid
declarations – that kind of mix almost guarantees permissions issues.
Since it doesn’t sound like you’re actively maintaining a uniform set of UID:GID across devices either manually or via some type of “yellow pages”, and it also doesn’t sound like you’ve got multiple users that require protected file space, my recommendation is to choose a pair of UID:GID for all NFS shares (e.g. setting anonuid
and anongid
to nobody:nogroup
).
Because NFS is the one who ultimately is reading/writing files, and nfsd on Linux requires root privileges, it has no access issues. In OMV, everything on that USB drive will be owned by a single user regardless of whether Syncthing in your LXC VM or you on your laptop is reading/writing.
And if your USB drive isn’t formatted with a filesystem that supports Linux file attributes (e.g. NTFS), it makes an even better solution.