lxc NFS

dragon2611

Renowned Member
Jul 2, 2010
90
7
73
It seems the default configuration blocks NFS mounts from within the LXC containers

Although thankfully easy enough to fix.

On the proxmox host

add

mount fstype=nfs,

to


/etc/apparmor.d/lxc/lxc-default-with-mounting

then reload apparmor
service apparmor reload

Edit:

Werid this worked yesterday, but to get it to work again today I had to add that to lxc-default as well.
 
Last edited:
I can confirm this for proxmox 4.1.

I tried adding mount fstype=nfs in lxc-default-with-mounting and it doesn't work.

Adding the same config in lxc-default works like a charm.

Is this a bug ? is the file with-mounting not being included ?
 
  • Like
Reactions: bizzarrone
Worked fine for me on Proxmox 4.4 in `/etc/apparmor.d/lxc/lxc-default-with-mounting` using:

mount fstype=nfs*,
 
For mounting NFS file systems and running nfs-server from within a LXC container on Proxmox 5:

Code:
sed -i '$ i\  mount fstype=nfs,\n  mount fstype=nfs4,\n  mount fstype=nfsd,\n  mount fstype=rpc_pipefs,' /etc/apparmor.d/lxc/lxc-default-cgns && systemctl reload apparmor
 
Did something change in Proxmox 5? I can't get it to mount in a LXC container using the steps from above. I keep seeing:

[194697.116353] audit: type=1400 audit(1544903181.369:142): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-105_</var/lib/lxc>" name="/media/Beast/home6/" pid=30053 comm="mount.nfs" fstype="nfs" srcname="1.2.3.4:/home6/user" flags="rw, relatime"
 
Did something change in Proxmox 5?
Possibly. :)

Here is how I configured containers.

In /etc/apparmor.d/lxc/lxc-container-default-with-nfs contains the following:

Code:
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  
  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=nfs,
  mount fstype=nfs4,
  mount fstype=nfsd,
  mount fstype=rpc_pipefs,
}

The new apparmor configuration is reloaded with systemctl reload apparmor.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!