lxc NFS

dragon2611

Member
Jul 2, 2010
54
1
8
It seems the default configuration blocks NFS mounts from within the LXC containers

Although thankfully easy enough to fix.

On the proxmox host

add

mount fstype=nfs,

to


/etc/apparmor.d/lxc/lxc-default-with-mounting

then reload apparmor
service apparmor reload

Edit:

Werid this worked yesterday, but to get it to work again today I had to add that to lxc-default as well.
 
Last edited:

lince

Member
Apr 10, 2015
78
3
8
I can confirm this for proxmox 4.1.

I tried adding mount fstype=nfs in lxc-default-with-mounting and it doesn't work.

Adding the same config in lxc-default works like a charm.

Is this a bug ? is the file with-mounting not being included ?
 
  • Like
Reactions: bizzarrone

Andrei ZeeGiant

New Member
May 17, 2017
8
0
1
34
Worked fine for me on Proxmox 4.4 in `/etc/apparmor.d/lxc/lxc-default-with-mounting` using:

mount fstype=nfs*,
 

gsupp

Member
Jun 27, 2017
38
14
8
TX, USA
For mounting NFS file systems and running nfs-server from within a LXC container on Proxmox 5:

Code:
sed -i '$ i\  mount fstype=nfs,\n  mount fstype=nfs4,\n  mount fstype=nfsd,\n  mount fstype=rpc_pipefs,' /etc/apparmor.d/lxc/lxc-default-cgns && systemctl reload apparmor
 

Andrei ZeeGiant

New Member
May 17, 2017
8
0
1
34
Did something change in Proxmox 5? I can't get it to mount in a LXC container using the steps from above. I keep seeing:

[194697.116353] audit: type=1400 audit(1544903181.369:142): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-105_</var/lib/lxc>" name="/media/Beast/home6/" pid=30053 comm="mount.nfs" fstype="nfs" srcname="1.2.3.4:/home6/user" flags="rw, relatime"
 
Apr 26, 2018
89
4
8
Did something change in Proxmox 5?
Possibly. :)

Here is how I configured containers.

In /etc/apparmor.d/lxc/lxc-container-default-with-nfs contains the following:

Code:
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  
  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=nfs,
  mount fstype=nfs4,
  mount fstype=nfsd,
  mount fstype=rpc_pipefs,
}
The new apparmor configuration is reloaded with systemctl reload apparmor.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!