1. dragon2611

    dragon2611 Member

    Joined:
    Jul 2, 2010
    Messages:
    54
    Likes Received:
    1
    It seems the default configuration blocks NFS mounts from within the LXC containers

    Although thankfully easy enough to fix.

    On the proxmox host

    add

    mount fstype=nfs,

    to


    /etc/apparmor.d/lxc/lxc-default-with-mounting

    then reload apparmor
    service apparmor reload

    Edit:

    Werid this worked yesterday, but to get it to work again today I had to add that to lxc-default as well.
     
    #1 dragon2611, Oct 3, 2015
    Last edited: Oct 4, 2015
  2. hregis

    hregis Member

    Joined:
    Feb 11, 2011
    Messages:
    37
    Likes Received:
    0
    thank you a lot !! :p
     
  3. lince

    lince Member

    Joined:
    Apr 10, 2015
    Messages:
    78
    Likes Received:
    3
    I can confirm this for proxmox 4.1.

    I tried adding mount fstype=nfs in lxc-default-with-mounting and it doesn't work.

    Adding the same config in lxc-default works like a charm.

    Is this a bug ? is the file with-mounting not being included ?
     
    bizzarrone likes this.
  4. Andrei ZeeGiant

    Andrei ZeeGiant New Member

    Joined:
    May 17, 2017
    Messages:
    8
    Likes Received:
    0
    Worked fine for me on Proxmox 4.4 in `/etc/apparmor.d/lxc/lxc-default-with-mounting` using:

    mount fstype=nfs*,
     
  5. gsupp

    gsupp Member

    Joined:
    Jun 27, 2017
    Messages:
    38
    Likes Received:
    14
    For mounting NFS file systems and running nfs-server from within a LXC container on Proxmox 5:

    Code:
    sed -i '$ i\  mount fstype=nfs,\n  mount fstype=nfs4,\n  mount fstype=nfsd,\n  mount fstype=rpc_pipefs,' /etc/apparmor.d/lxc/lxc-default-cgns && systemctl reload apparmor
     
    Ladegro, si458, Ricky88 and 1 other person like this.
  6. upnort

    upnort Member
    Proxmox Subscriber

    Joined:
    Apr 26, 2018
    Messages:
    82
    Likes Received:
    3
    Thanks for the info!

    I need to support NFS in an LXC container. What are the security implications of creating this apparmor profile?
     
  7. Andrei ZeeGiant

    Andrei ZeeGiant New Member

    Joined:
    May 17, 2017
    Messages:
    8
    Likes Received:
    0
    Did something change in Proxmox 5? I can't get it to mount in a LXC container using the steps from above. I keep seeing:

    [194697.116353] audit: type=1400 audit(1544903181.369:142): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-105_</var/lib/lxc>" name="/media/Beast/home6/" pid=30053 comm="mount.nfs" fstype="nfs" srcname="1.2.3.4:/home6/user" flags="rw, relatime"
     
  8. upnort

    upnort Member
    Proxmox Subscriber

    Joined:
    Apr 26, 2018
    Messages:
    82
    Likes Received:
    3
    Possibly. :)

    Here is how I configured containers.

    In /etc/apparmor.d/lxc/lxc-container-default-with-nfs contains the following:

    Code:
    # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
    # will source all profiles under /etc/apparmor.d/lxc
    
    profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {
      #include <abstractions/lxc/container-base>
      
      # the container may never be allowed to mount devpts.  If it does, it
      # will remount the host's devpts.  We could allow it to do it with
      # the newinstance option (but, right now, we don't).
      deny mount fstype=devpts,
      mount fstype=cgroup -> /sys/fs/cgroup/**,
      mount fstype=nfs,
      mount fstype=nfs4,
      mount fstype=nfsd,
      mount fstype=rpc_pipefs,
    }
    
    The new apparmor configuration is reloaded with systemctl reload apparmor.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice