Is mounting nfs4 not possible inside privileged container due to apparmor? (nfs works fine)

[akovano]

I have the feature "nfs" enabled via the gui.
I can mount an nfs share fine, for example this command works fine:
mount -t nfs 10.10.10.10:/mnt/data/files /mnt/files

But if I try the same command using nfs4:
mount -t nfs4 10.10.10.10:/mnt/data/files /mnt/files

I see a denied error in syslog due to apparmor:

Jan 30 05:42:43 plex kernel: [510314.071512] audit: type=1400 audit(1643521363.429:147): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-105_</var/lib/lxc>" name="/mnt/files/" pid=1207314 comm="mount.nfs4" fstype="nfs4" srcname="10.10.10.10:/mnt/data/files"

I'm assuming this is because the fstype is "nfs4" and the configs show "nfs" is allowed.

If I check the file mentioned in the log /var/lib/lxc/105/apparmor/lxc-105_\<-var-lib-lxc\> at the very bottom of the file it only lists "mount fstype=nfs" and not nfs4.

deny mount -> /proc/, deny mount -> /sys/, mount fstype=nfs, }

Also same with the "config" file in /var/lib/lxc/105 I see only fstype=nfs:
lxc.apparmor.raw = mount fstype=nfs,

Is mounting with nfs4 not possible?

 

[gretz]

you don't have to specify the version, you can check to be sure with the command : df -T

 

[akovano]

you don't have to specify the version, you can check to be sure with the command : df -T

Thanks I see it did mount with nfs4 when mounting with "nfs" command. Will remember that next time, thanks!

 

[jhboricua]

Sorry to resurrect this thread but, though my experience is slightly different from the OP, it does seem to validate his initial statement that mounting a NFS share via NFS 4 doesn't seem to be allowed by apparmor in a privileged LXC.

Just like the OP, I have a privileged container with the NFS flag enabled via the GUI, using the default Debian 11 LXC template. I'm unable to mount a NFS share from my TrueNAS server unless I force the nfs client to use version 3 (via the option nfsvers=3) in the mount command. This is on the latest Proxmox 7.1 release.

So this works inside the LXC:

mount -t nfs -o nfsvers=3 10.10.10.10:/mnt/zpool/files /mnt/files

But this doesn't, because the LXC client defaults to using NFSv4:

mount -t nfs 10.10.10.10:/mnt/zpool/files /mnt/files

I see the same apparmor audit message as the OP.

Everything else outside of LXC can mount the shares using NFS4 as the protocol just fine.