[PATCH container/manager v2 0/2] make mount point attribute preservation configurable

[PATCH container/manager v2 0/2] make mount point attribute preservation configurable

[Filip Schauer]

The commit 0db559517ac6 (mountpoint_insert_staged: inherit attributes if
directory already exists) introduced automatic propagation of uid, gid,
and mode from the target directory to the mounted filesystem. While this
improves compatibility with some OCI images, it also caused undesired
ownership changes on some mount points.

Since attribute preservation is not always desired, make this behavior
configurable via a new "keepattrs" mountpoint flag. Default to disabled
to preserve historical behavior.

Patch 2/2 exposes this flag in the UI and depends on patch 1/2.

Changed since v1:
* Improve descriptions of new "keepattrs" flag

pve-container:

Filip Schauer (1):
  make mount point attribute preservation configurable

 src/PVE/LXC.pm            | 4 +---
 src/PVE/LXC/Config.pm     | 9 +++++++++
 src/lxc-pve-prestart-hook | 2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)


pve-manager:

Filip Schauer (1):
  ui: lxc/MPEdit: add "keepattrs" flag

 www/manager6/lxc/MPEdit.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)


Summary over all repositories:
  4 files changed, 26 insertions(+), 4 deletions(-)

-- 
Generated by git-murpp 0.6.0

[PATCH container v2 1/2] make mount point attribute preservation configurable

[Filip Schauer]

The commit 0db559517ac6 (mountpoint_insert_staged: inherit attributes if
directory already exists) introduced automatic propagation of uid, gid,
and mode from the target directory to the mounted filesystem. While this
improves compatibility with some OCI images, it also caused undesired
ownership changes on some mount points.

Since attribute preservation is not always desired, make this behavior
configurable via a new "keepattrs" mountpoint flag. Default to disabled
to preserve historical behavior.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
Changed since v1:
* Replace "target path" with "mount point directory"
* Replace "attributes" with more specific description
* Add verbose_description

 src/PVE/LXC.pm            | 4 +---
 src/PVE/LXC/Config.pm     | 9 +++++++++
 src/lxc-pve-prestart-hook | 2 +-
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/PVE/LXC.pm b/src/PVE/LXC.pm
index 41ea991..2c02e9a 100644
--- a/src/PVE/LXC.pm
+++ b/src/PVE/LXC.pm
@@ -2478,10 +2478,8 @@ sub mountpoint_hotplug : prototype($$$$$) {
         chdir('/')
             or die "failed to change root directory within the container's mount namespace: $!\n";
 
-        my $keep_attrs = $mp->{type} eq 'volume';
-
         mountpoint_insert_staged(
-            $mount_fd, undef, $mp->{mp}, $opt, $root_uid, $root_gid, $keep_attrs,
+            $mount_fd, undef, $mp->{mp}, $opt, $root_uid, $root_gid, $mp->{keepattrs},
         );
     });
 }
diff --git a/src/PVE/LXC/Config.pm b/src/PVE/LXC/Config.pm
index 6f54e9f..5442586 100644
--- a/src/PVE/LXC/Config.pm
+++ b/src/PVE/LXC/Config.pm
@@ -987,6 +987,15 @@ my $mp_desc = {
         verbose_description => "Path to the mount point as seen from inside the container.\n\n"
             . "NOTE: Must not contain any symlinks for security reasons.",
     },
+    keepattrs => {
+        type => 'boolean',
+        description => "Inherit ownership and permissions from the mount point directory.",
+        verbose_description =>
+            "Inherit UID, GID and access mode from the mount point directory, "
+            . "if it exists already.",
+        optional => 1,
+        default => 0,
+    },
 };
 PVE::JSONSchema::register_format('pve-ct-mountpoint', $mp_desc);
 
diff --git a/src/lxc-pve-prestart-hook b/src/lxc-pve-prestart-hook
index f900c12..9862509 100755
--- a/src/lxc-pve-prestart-hook
+++ b/src/lxc-pve-prestart-hook
@@ -100,7 +100,7 @@ PVE::LXC::Tools::lxc_hook(
                 # Mount relative to the rootdir fd.
                 $dest_base_fd = $rootdir_fd;
                 $dest_dir = './' . $mountpoint->{mp};
-                $keep_attrs = $mountpoint->{type} eq 'volume';
+                $keep_attrs = $mountpoint->{keepattrs};
             } else {
                 # Assert that 'rootfs' is the first one:
                 die "foreach_mount() error\n" if $opt ne 'rootfs';
-- 
2.47.3

[PATCH manager v2 2/2] ui: lxc/MPEdit: add "keepattrs" flag

[Filip Schauer]

Expose the "keepattrs" flag for mount points in the UI.

Signed-off-by: Filip Schauer <f.schauer@proxmox.com>
---
This depends on patch 1/2.

Changed since v1:
* Use regular casing for qtip
* Replace "Target Directory" with "mount point directory"
* Replace "Attributes" with "ownership and permissions"

 www/manager6/lxc/MPEdit.js | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/www/manager6/lxc/MPEdit.js b/www/manager6/lxc/MPEdit.js
index f4c45876..4ed2d07b 100644
--- a/www/manager6/lxc/MPEdit.js
+++ b/www/manager6/lxc/MPEdit.js
@@ -47,6 +47,7 @@ Ext.define('PVE.lxc.MountPointInputPanel', {
         setMPOpt('ro', values.ro);
         setMPOpt('acl', values.acl);
         setMPOpt('replicate', values.replicate);
+        setMPOpt('keepattrs', values.keepattrs);
 
         let res = {};
         res[confid] = PVE.Parser.printLxcMountPoint(me.mp);
@@ -338,6 +339,20 @@ Ext.define('PVE.lxc.MountPointInputPanel', {
             name: 'replicate',
             fieldLabel: gettext('Skip replication'),
         },
+        {
+            xtype: 'proxmoxcheckbox',
+            name: 'keepattrs',
+            defaultValue: '0',
+            fieldLabel: gettext('Keep Attributes'),
+            autoEl: {
+                tag: 'div',
+                'data-qtip': gettext('Preserve ownership and permissions of mount point directory'),
+            },
+            bind: {
+                hidden: '{isRoot}',
+                disabled: '{isRoot}',
+            },
+        },
     ],
 });
 
-- 
2.47.3

applied-series: [PATCH container/manager v2 0/2] make mount point attribute preservation configurable

[Fabian Grünbichler]

thanks!

On February 11, 2026 3:41 pm, Filip Schauer wrote:
> The commit 0db559517ac6 (mountpoint_insert_staged: inherit attributes if
> directory already exists) introduced automatic propagation of uid, gid,
> and mode from the target directory to the mounted filesystem. While this
> improves compatibility with some OCI images, it also caused undesired
> ownership changes on some mount points.
> 
> Since attribute preservation is not always desired, make this behavior
> configurable via a new "keepattrs" mountpoint flag. Default to disabled
> to preserve historical behavior.
> 
> Patch 2/2 exposes this flag in the UI and depends on patch 1/2.
> 
> Changed since v1:
> * Improve descriptions of new "keepattrs" flag
> 
> pve-container:
> 
> Filip Schauer (1):
>   make mount point attribute preservation configurable
> 
>  src/PVE/LXC.pm            | 4 +---
>  src/PVE/LXC/Config.pm     | 9 +++++++++
>  src/lxc-pve-prestart-hook | 2 +-
>  3 files changed, 11 insertions(+), 4 deletions(-)
> 
> 
> pve-manager:
> 
> Filip Schauer (1):
>   ui: lxc/MPEdit: add "keepattrs" flag
> 
>  www/manager6/lxc/MPEdit.js | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
> 
> 
> Summary over all repositories:
>   4 files changed, 26 insertions(+), 4 deletions(-)
> 
> -- 
> Generated by git-murpp 0.6.0
> 
> 
> 
> 
>