Hey guys,
I'm trying to wrap my head around the best scenario to achieve file sharing within an LXC container. So here is what I've tried so far and where I'm struggling.
Basis for this is the current version of proxmox with the current arch template running in the container.
1) Using an unprivileged LXC container by default is not possible, since the apparmor profile prohibits NFS mounts
2) Adding an exception for NFS in the apparmor profile is successful as I can start the container, but it comes with another problem
Adding this apparmor profile to the container config results in systemd-networkd failing at startup, because of a wrong apparmor configuration which apparently was already fixed upstream, but too big to be backported.
github com/systemd/systemd/issues/9493
bugs.launchpad net/ubuntu/+source/apparmor/+bug/1575779
Since pve is still on 4.15.18, this seems to be just broken.
3) Now, I thought I would be clever and just use a privileged container, enable NFS from the GUI and be good, right? Wrong! Using an privileged container with arch results in the same systemd-networkd error, caused by apparmor. The network never get's started.
I could add lxc.apparmor.profile: unconfined to the container file, but that really seems like a bad idea.....
Oh, mounting the filesystem from the host to the container also seems like a bad idea since I need to mount this directory into several containers and I guess this could lead to file inconsistencies
So, what is the recommendation here?
PS: The links are broken since I'm not allowed to post links as a new user.
I'm trying to wrap my head around the best scenario to achieve file sharing within an LXC container. So here is what I've tried so far and where I'm struggling.
Basis for this is the current version of proxmox with the current arch template running in the container.
1) Using an unprivileged LXC container by default is not possible, since the apparmor profile prohibits NFS mounts
2) Adding an exception for NFS in the apparmor profile is successful as I can start the container, but it comes with another problem
Code:
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-with-cifs-nfs flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data. However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
deny mount fstype=devpts,
mount fstype=cifs,
mount fstype=rpc_pipefs,
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=ext*,
mount fstype=nfs*,
}Adding this apparmor profile to the container config results in systemd-networkd failing at startup, because of a wrong apparmor configuration which apparently was already fixed upstream, but too big to be backported.
github com/systemd/systemd/issues/9493
bugs.launchpad net/ubuntu/+source/apparmor/+bug/1575779
Since pve is still on 4.15.18, this seems to be just broken.
3) Now, I thought I would be clever and just use a privileged container, enable NFS from the GUI and be good, right? Wrong! Using an privileged container with arch results in the same systemd-networkd error, caused by apparmor. The network never get's started.
I could add lxc.apparmor.profile: unconfined to the container file, but that really seems like a bad idea.....
Oh, mounting the filesystem from the host to the container also seems like a bad idea since I need to mount this directory into several containers and I guess this could lead to file inconsistencies
So, what is the recommendation here?
PS: The links are broken since I'm not allowed to post links as a new user.
