Mount NFS on LXC Proxmox
Posted on August 8, 2018 • 2 minutes • 329 words • Suggest Changes
I’m a long time user of Proxmox (a few years), and recently I had the chance to upgrade an by-now ancient Proxmox 3.4 to current 5.2. In that time frame the developers have changed from OpenVZ to LXC and made a script to migrate the data. One key element however, mounting (remote) NFS shares are no longer possible from within the containers, at least not native.
Within the container the error is rather lacking information and is pointing towards the NFS server issue.
Aug 8 09:09:51 svennd mount: mount.nfs: access denied by server while mounting nfs_server:/data
However, on the Proxmox host, in /var/log/messages you can find that apparmor is the problem.
apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/storage/nfs_server/data/" pid=25086 comm="mount.nfs" fstype="nfs" srcname="nfs_server:/data" flags="ro, noatime"
💭.
Well now, lets try and undo this security feature, in my case the profile that is causing it to block is lxc-container-default-cgns. You can find this file : /etc/apparmor.d/lxc/lxc-default-cgns
Also some other configs can be found there (not sure when what profile is loaded) I added :
mount fstype=rpc_pipefs, mount fstype=nfs,
below mount fstype=cgroup -> /sys/fs/cgroup/**,
resulting in this final file :
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> # the container may never be allowed to mount devpts. If it does, it # will remount the host's devpts. We could allow it to do it with # the newinstance option (but, right now, we don't). deny mount fstype=devpts, mount fstype=cgroup -> /sys/fs/cgroup/**, mount fstype=rpc_pipefs, mount fstype=nfs, }
After that we need to reload Apparmor, I’m not sure what made it work again, but it was one of these :
apparmor_parser -r /etc/apparmor.d/lxc-containers systemctl apparmor reload
And now we can mount from within once more ! 🙂
There is an alternative, but from what I read here you need to remap user ID’s, and need to use mountpoints on the host and draw them inside the container.