lxc NFS

dragon2611

Renowned Member
Jul 2, 2010
93
9
73
It seems the default configuration blocks NFS mounts from within the LXC containers

Although thankfully easy enough to fix.

On the proxmox host

add

mount fstype=nfs,

to


/etc/apparmor.d/lxc/lxc-default-with-mounting

then reload apparmor
service apparmor reload

Edit:

Werid this worked yesterday, but to get it to work again today I had to add that to lxc-default as well.
 
Last edited:
I can confirm this for proxmox 4.1.

I tried adding mount fstype=nfs in lxc-default-with-mounting and it doesn't work.

Adding the same config in lxc-default works like a charm.

Is this a bug ? is the file with-mounting not being included ?
 
  • Like
Reactions: bizzarrone
For mounting NFS file systems and running nfs-server from within a LXC container on Proxmox 5:

Code:
sed -i '$ i\  mount fstype=nfs,\n  mount fstype=nfs4,\n  mount fstype=nfsd,\n  mount fstype=rpc_pipefs,' /etc/apparmor.d/lxc/lxc-default-cgns && systemctl reload apparmor
 
Did something change in Proxmox 5? I can't get it to mount in a LXC container using the steps from above. I keep seeing:

[194697.116353] audit: type=1400 audit(1544903181.369:142): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-105_</var/lib/lxc>" name="/media/Beast/home6/" pid=30053 comm="mount.nfs" fstype="nfs" srcname="1.2.3.4:/home6/user" flags="rw, relatime"
 
Did something change in Proxmox 5?
Possibly. :)

Here is how I configured containers.

In /etc/apparmor.d/lxc/lxc-container-default-with-nfs contains the following:

Code:
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  
  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=nfs,
  mount fstype=nfs4,
  mount fstype=nfsd,
  mount fstype=rpc_pipefs,
}

The new apparmor configuration is reloaded with systemctl reload apparmor.