I'm trying to mount a CIFS share inside a Debian Bookworm LXC. I'm aware that in an unprivileged container that this isn't "possible." However, I've seen threads dating back several years where people were able to make this happen. I'm trying the same now. I've tried adding the following to the ```/etc/apparmor.d/lxc/lxc-default``` file:
I've then reloaded the apparmor service:
I then shutdown and started the LXC. Next, I tried a systemctl mount file in my LXC using the following lines in ```/etc/systemd/system/mnt-music.mount```:
I confirmed I can ping nas01.local from the LXC as well. I reloaded the systemctl daemon and tried to run the unit and received the following error:
I then removed the ```mount filetype=cifs``` from the lxc-default file and created a whole new apparmor profile file called ```lxc-container-default-with-cifs-nfs``` in the same apparmor directory. This is the contents of that file:
I reloaded the apparmor systemd unit and ran an ```aa-status``` and saw the new profile:
I shutdown/started the LXC container again and got the same result. I've tried add the apparmor profile directly to the LXC conf file with the following line:
This caused the container to take a long time to boot and when it did, the mnt-music systemd unit showed the same error. I then tried using a straight ```mount``` line at the terminal. Same error.
I'd really like to get this working. I'm hoping it's something simple that I'm missing. I'd rather not go through the hassle of bind mounting and dealing with UID/GID mappings. I'd also rather not make this a privileged container as it will have a port exposed to the internet. Thanks for the help!
Code:
mount fstype=cifsI've then reloaded the apparmor service:
Code:
systemctl reload apparmor.serviceI then shutdown and started the LXC. Next, I tried a systemctl mount file in my LXC using the following lines in ```/etc/systemd/system/mnt-music.mount```:
Code:
[Unit]
Description=Mount NAS01 Music share at boot
After=network-online.target
[Mount]
What=//nas01.local/music
Where=/mnt/music
Options=uid=1001,gid=10006,file_mode=0770,dir_mode=0770,credentials=/etc/smbcredentials_joltman,vers=3.0,iocharset=utf8,sec=nt
lmssp
Type=cifs
TimeoutSec=30
[Install]
WantedBy=multi-user.targetI confirmed I can ping nas01.local from the LXC as well. I reloaded the systemctl daemon and tried to run the unit and received the following error:
Bash:
Feb 15 20:58:46 roon-server systemd[1]: Mounting mnt-music.mount - Mount NAS01 Music share at boot...
Feb 15 20:58:46 roon-server mount[531]: mount error(1): Operation not permitted
Feb 15 20:58:46 roon-server mount[531]: Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages >
Feb 15 20:58:46 roon-server systemd[1]: mnt-music.mount: Mount process exited, code=exited, status=32/n/a
Feb 15 20:58:46 roon-server systemd[1]: mnt-music.mount: Failed with result 'exit-code'.
Feb 15 20:58:46 roon-server systemd[1]: Failed to mount mnt-music.mount - Mount NAS01 Music share at boot.I then removed the ```mount filetype=cifs``` from the lxc-default file and created a whole new apparmor profile file called ```lxc-container-default-with-cifs-nfs``` in the same apparmor directory. This is the contents of that file:
Code:
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-with-cifs-nfs flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data. However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
deny mount fstype=devpts,
mount fstype=cifs -> /mnt/,
mount fstype=rpc_pipefs,
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=ext*,
mount fstype=nfs*,
}I reloaded the apparmor systemd unit and ran an ```aa-status``` and saw the new profile:
Code:
root@pve01:/etc/apparmor.d/lxc# aa-status
apparmor module is loaded.
25 profiles are loaded.
25 profiles are in enforce mode.
/usr/bin/lxc-copy
/usr/bin/lxc-start
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/sbin/chronyd
/{,usr/}sbin/dhclient
lsb_release
lxc-100_</var/lib/lxc>
lxc-101_</var/lib/lxc>
lxc-110_</var/lib/lxc>
lxc-111_</var/lib/lxc>
lxc-container-default
lxc-container-default-cgns
lxc-container-default-with-cifs-nfs
lxc-container-default-with-mounting
lxc-container-default-with-nesting
man_filter
man_groff
nvidia_modprobe
nvidia_modprobe//kmod
pve-container-mounthotplug
...I shutdown/started the LXC container again and got the same result. I've tried add the apparmor profile directly to the LXC conf file with the following line:
Code:
lxc.apparmor.profile: lxc-container-default-with-cifs-nfsThis caused the container to take a long time to boot and when it did, the mnt-music systemd unit showed the same error. I then tried using a straight ```mount``` line at the terminal. Same error.
I'd really like to get this working. I'm hoping it's something simple that I'm missing. I'd rather not go through the hassle of bind mounting and dealing with UID/GID mappings. I'd also rather not make this a privileged container as it will have a port exposed to the internet. Thanks for the help!