apparmor denied mount on nfs share in container

S

sdpve

Member
Mar 10, 2018
22
0
6
44
I have an lxc container that I want to run nextcloud in. I got nextcloud to work under normal configuration. However, it does not work when I changed the nextcloud home directory to an nfs mounted directory. I think it's an apparmor misconfiguation because I get the following errors.

[Mon Dec 31 02:04:03 2018] device veth104i0 left promiscuous mode
[Mon Dec 31 02:04:03 2018] audit: type=1400 audit(1546221845.749:237): apparmor="STATUS" operation="profile_remove" profile="/usr/bin/lxc-start" name="lxc-104_</var/lib/lxc>" pid=5023 comm="apparmor_parser"
[Mon Dec 31 02:04:05 2018] EXT4-fs (dm-15): mounted filesystem with ordered data mode. Opts: (null)
[Mon Dec 31 02:04:05 2018] audit: type=1400 audit(1546221847.157:238): apparmor="STATUS" operation="profile_load" profile="/usr/bin/lxc-start" name="lxc-104_</var/lib/lxc>" pid=5055 comm="apparmor_parser"
[Mon Dec 31 02:04:05 2018] IPv6: ADDRCONF(NETDEV_UP): veth104i0: link is not ready
[Mon Dec 31 02:04:05 2018] netlink: 'ovs-vswitchd': attribute type 5 has an invalid length.
[Mon Dec 31 02:04:05 2018] device veth104i0 entered promiscuous mode
[Mon Dec 31 02:04:05 2018] eth0: renamed from vethH1HU7K
[Mon Dec 31 02:04:05 2018] audit: type=1400 audit(1546221847.757:239): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/run/rpc_pipefs/" pid=5184 comm="mount" fstype="rpc_pipefs" srcname="sunrpc"
[Mon Dec 31 02:04:05 2018] audit: type=1400 audit(1546221847.773:240): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/" pid=5195 comm="(networkd)" flags="rw, rslave"
[Mon Dec 31 02:04:05 2018] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[Mon Dec 31 02:04:05 2018] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[Mon Dec 31 02:04:05 2018] audit: type=1400 audit(1546221847.825:241): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/" pid=5232 comm="(resolved)" flags="rw, rslave"
[Mon Dec 31 02:04:05 2018] audit: type=1400 audit(1546221847.993:242): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-104_</var/lib/lxc>//&:lxc-104_<-var-lib-lxc>:unconfined" pid=5287 comm="apparmor_parser"
[Mon Dec 31 02:04:06 2018] audit: type=1400 audit(1546221848.041:243): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-104_</var/lib/lxc>//&:lxc-104_<-var-lib-lxc>:unconfined" pid=5284 comm="apparmor_parser"
[Mon Dec 31 02:04:06 2018] audit: type=1400 audit(1546221848.193:244): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-104_</var/lib/lxc>//&:lxc-104_<-var-lib-lxc>:unconfined" pid=5301 comm="apparmor_parser"
[Mon Dec 31 02:04:06 2018] audit: type=1400 audit(1546221848.221:245): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-104_</var/lib/lxc>//&:lxc-104_<-var-lib-lxc>:unconfined" pid=5296 comm="apparmor_parser"
[Mon Dec 31 02:04:06 2018] kauditd_printk_skb: 4 callbacks suppressed
[Mon Dec 31 02:04:06 2018] audit: type=1400 audit(1546221848.781:250): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/" pid=5445 comm="(an-start)" flags="rw, rslave"
[Mon Dec 31 02:04:06 2018] audit: type=1400 audit(1546221848.789:251): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/" pid=5448 comm="(sh)" flags="rw, rslave"
[Mon Dec 31 02:04:07 2018] audit: type=1400 audit(1546221849.565:252): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-104_</var/lib/lxc>" name="/" pid=5650 comm="(pachectl)" flags="rw, rslave"
Click to expand...

The configuration:
Code: 
rch: amd64
cores: 1
features: mount=nfs;nfs
hostname: cloud
memory: 512
net0: name=eth0,bridge=vmbr0,hwaddr=FF:21:C1:DD:4B:25,ip=dhcp,tag=40,type=veth
ostype: ubuntu
parent: nextcloud
rootfs: local-lvm:vm-104-disk-1,size=2G
swap: 512
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
#lxc.apparmor.profile: unconfined

I used to have the "unconfined" apparmor profile, but that wasnt working. So then after some researching I found out I could upgrade proxmox and use "features:nfs" instead. That is where I am at now.

My pve info:
# hostname
pve

# pveversion --verbose
proxmox-ve: 5.3-1 (running kernel: 4.15.18-9-pve)
pve-manager: 5.3-6 (running version: 5.3-6/37b3c8df)
pve-kernel-4.15: 5.2-12
pve-kernel-4.15.18-9-pve: 4.15.18-30
pve-kernel-4.13.13-2-pve: 4.13.13-33
corosync: 2.4.4-pve1
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.1-3
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-43
libpve-guest-common-perl: 2.0-18
libpve-http-server-perl: 2.0-11
libpve-storage-perl: 5.0-34
libqb0: 1.0.3-1~bpo9
lvm2: 2.02.168-pve6
lxc-pve: 3.0.2+pve1-5
lxcfs: 3.0.2-2
novnc-pve: 1.0.0-2
openvswitch-switch: 2.7.0-3
proxmox-widget-toolkit: 1.0-22
pve-cluster: 5.0-31
pve-container: 2.0-31
pve-docs: 5.3-1
pve-edk2-firmware: 1.20181023-1
pve-firewall: 3.0-16
pve-firmware: 2.0-6
pve-ha-manager: 2.0-5
pve-i18n: 1.0-9
pve-libspice-server1: 0.14.1-1
pve-qemu-kvm: 2.12.1-1
pve-xtermjs: 1.0-5
qemu-server: 5.0-43
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.12-pve1~bpo1
Click to expand...

That error makes me think I need to install apache2 (or some apache2 util) on proxmox. Is that a requirement? I got it to work without it on the regular /var/www/ path, but perhaps changing the user directory calls some other util I need?

I changed the nextcloud home dir by stoping apache2 in the LXC and moving the nextcloud/data directory to the mounted nfs directory. Then making nextcloud/data a symlink to it.

The NFS directory is mounted as follows (mtab).
omv:/services /srv/share/services nfs4 rw,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.29,local_lock=none,addr=192.168.2.27 0 0
Click to expand...

The nfs server exports that directory as :
/export/services (fsid=9,rw,subtree_check,insecure,all_squash,anonuid=1000,anongid=100)
# NFSv4 - pseudo filesystem root
/export (ro,fsid=0,root_squash,no_subtree_check,hide)
Click to expand...
User 1000 is the owner of the nfs share on the nfs server. The client is ubuntu 17.10 and using www-data user (id=33), but I believe because of the "all_squash, anonuid and anongid" settings that it should not be a permissions problem. Also, I was able to change into www-data user (sudo su -l www-data -s /bin/bash) and touch a file on that directory to confirm.

So am I missing a util on proxmox or am I missing an apparmor configuration or something else? I admit I am not familiar with apparmor or what it is doing for nfs shares. I did search and my searches returned using "unconfined" profile or making a new profile. Unconfied did not work and I believe that the apparmor profile settings is deprecated now that "features" settings is here, so I have not tried creating a new apparmor profile.
TIA
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back