LXC NFS PVE 4.2-60 (running kernel: 4.4.15-1-pve)

[antoniormjr]

Hello everyone, after updating my Proxmox to version 4.2-60 (running kernel: 4.4.15-1-pve) my LXC containers are not riding over NFS shares. Currently use the NFS mount adding fstype = nfs in /etc/apparmor.d/lxc/lxc-default-with-mounting and /etc/apparmor.d/lxc/lxc-default files.
The error that displays the LXC when trying to mount the NFS: mount-nfs: access denied by server while mounting

 

[dcsapak]

have you rebooted your host after updating to the new kernel?

 

[antoniormjr]

Yes, I restarted my host server after the kernel upgrade. Below description of the image.
Tks

 

[zima]

I'm using [mount fstype=cifs] and [mount fstype=nfs] in custom apparmor profile and mounting nfs from fstab - everything working ok on 4.4.15-1

 

[antoniormjr]

I have changed the /etc/apparmor.d/lxc/lxc-default files and /etc/apparmor.d/lxc/lxc-default-with-mounting including [mount fstype = nfs]. Would any other file that is missing to configure NFS?

 

[zima]

only [mount fstype=nfs] is needed. This looks like nfs server side error - look maybe there.

 

[antoniormjr]

Zima when I change to another server Proxmox pve-manager: 4.2-2 (running version: 4.2-2 / 725d76f0) pve-kernel-3.19.8-1-pve: 3.19.8-3 NFS within the fstab my container it works correctly. For this reason I believe that is a BUG as yesterday updated my servers and today presented this problem. Thanks for listening.

 

[antoniormjr]

Zima discovered the problem. I ran the following command (cat / var / log / messages | grep audit) and found the following error [Aug 9 17:49:15 server kernel: [64087.571679] audit: type = 1400 audit (1470775755.523: 62): apparmor = " DENIED "operation =" mount "info =" failed match type "error = -13 profile =" lxc-container-default-cgns "name =" / run / rpc_pipefs / "pid = 3078 comm =" mount "fstype =" rpc_pipefs "srcname =" sunrpc "flags =" ro "] added to [mount fstype = nfs in the xc-container-default-cgns file and it worked.
Good that on your server did not present the same mistake !
Thank you.

 

[zima]

log from container without specified apparmor profile (no lxc.aa_profile: in container conf). I upgraded proxmox at 18:00 today

Aug 9 06:26:29 dreadnought kernel: [1548710.957186] audit: type=1400 audit(1470716789.218:485): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=56160 comm="mount" flags="ro, remount, relatime"

in new version we see:
Aug 9 23:17:03 dreadnought kernel: [10334.313232] audit: type=1400 audit(1470777423.458:44): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=8603 comm="mount" flags="ro, remount, relatime"

it looks like last update changed default apparmor profile from lxc-container-default to lxc-container-default-cgns. You wrote that you have nfs option in lxc-container-default but nfs stop working and in your logs we see the change of the profile name.

Why my nfs wasn't affected - beacuse i have my additional profile and option in container config overriding the default profile:
lxc.aa_profile: lxc-container-default-cifs-nfs