Is mounting nfs4 not possible inside privileged container due to apparmor? (nfs works fine)

akovano

New Member
Jan 30, 2022
5
1
1
124
I have the feature "nfs" enabled via the gui.
I can mount an nfs share fine, for example this command works fine:
mount -t nfs 10.10.10.10:/mnt/data/files /mnt/files

But if I try the same command using nfs4:
mount -t nfs4 10.10.10.10:/mnt/data/files /mnt/files

I see a denied error in syslog due to apparmor:

Jan 30 05:42:43 plex kernel: [510314.071512] audit: type=1400 audit(1643521363.429:147): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-105_</var/lib/lxc>" name="/mnt/files/" pid=1207314 comm="mount.nfs4" fstype="nfs4" srcname="10.10.10.10:/mnt/data/files"

I'm assuming this is because the fstype is "nfs4" and the configs show "nfs" is allowed.

If I check the file mentioned in the log /var/lib/lxc/105/apparmor/lxc-105_\<-var-lib-lxc\> at the very bottom of the file it only lists "mount fstype=nfs" and not nfs4.

deny mount -> /proc/, deny mount -> /sys/, mount fstype=nfs, }

Also same with the "config" file in /var/lib/lxc/105 I see only fstype=nfs:
lxc.apparmor.raw = mount fstype=nfs,

Is mounting with nfs4 not possible?
 
Last edited:
you don't have to specify the version, you can check to be sure with the command : df -T
 
you don't have to specify the version, you can check to be sure with the command : df -T
Thanks I see it did mount with nfs4 when mounting with "nfs" command. Will remember that next time, thanks!
 
Sorry to resurrect this thread but, though my experience is slightly different from the OP, it does seem to validate his initial statement that mounting a NFS share via NFS 4 doesn't seem to be allowed by apparmor in a privileged LXC.

Just like the OP, I have a privileged container with the NFS flag enabled via the GUI, using the default Debian 11 LXC template. I'm unable to mount a NFS share from my TrueNAS server unless I force the nfs client to use version 3 (via the option nfsvers=3) in the mount command. This is on the latest Proxmox 7.1 release.

So this works inside the LXC:

Bash:
mount -t nfs -o nfsvers=3 10.10.10.10:/mnt/zpool/files /mnt/files

But this doesn't, because the LXC client defaults to using NFSv4:

Bash:
mount -t nfs 10.10.10.10:/mnt/zpool/files /mnt/files

I see the same apparmor audit message as the OP.

Everything else outside of LXC can mount the shares using NFS4 as the protocol just fine.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!