mount nfs share on unprivileged contained from proxmox zfs share

[rml]

I'm trying to mount a zfs nfs share from another proxmox server (server1) onto an container (on server2)
server1 - pve-manager/5.4-13/aee6f0ec (running kernel: 4.15.18-27-pve)
server2 -pve-manager/6.1-8/806edfe1 (running kernel: 5.3.18-3-pve)

Are you able to make a bind mount in a container to another server, or do I have to mount the nfs share on the container's server first?
Would this be different if the two servers were in a cluster (they're not currently as I'm testing)?
Is there a better was to go about this?
e.g should I just mount directly in the container? It would be helpful to do it in the lxc .conf file as I'm scripting the provisioning.

I'm slightly drowning reading old threads on this so wanted to check what was current please? I'm reading up on apparmour currently as it's new to me
e.g.
do we still need to explicitely enable nfs in apparmour https://unix.stackexchange.com/ques...containers-to-mount-nfs-shares-on-the-network
as "But we plan to allow such mounts in future by adding feature flags, which can be set by the user more easily ... " - https://forum.proxmox.com/threads/nfs-file-system-mount-problem-apparmor.31706/
Am I right that lxc.aa_profile is now lxc.apparmor.profile in old threads- same thing?

Huge thanks in advance.

root@server2:pct set 102 -mp1 server1.rml:/mnt/fogimages,mp=/images

storage 'server1' does not exist

root@server2:~# pct set 102 -mp1 server1:/mnt/fogimages,mp=/images

shares seem to exist

root@server2:~# showmount -e  server1

Export list for server1:

/mnt/prox-images *

/mnt/fog-images  *

root@server2:~# pvesm nfsscan server1

/mnt/fog-images  *

/mnt/prox-images *

container config

root@server2:~# cat /etc/pve/lxc/102.conf

arch: amd64

cores: 1

hostname: rmlfog

memory: 512

net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=00:00:00:00:40:03,ip=dhcp,ip6=dhcp,type=veth

ostype: ubuntu

rootfs: local-lvm:vm-102-disk-0,size=15G

swap: 512

unprivileged: 1

root@server2:~# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
172.31.187.56 server2.rml server2
172.31.187.52 server1 server1.rml

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

 

[rml]

I have something, sort-of-working but have permissions issues and it feels like I'm doing this the wrong way (?)

on server2 I've mounted the nfs share (through GUI server view add NFS)

and then created a bind mount on the container

I can:
*rw to the share ok on server2
*can only read from the container
(Both logged on as root for now to test)

On the container the df -h is showing the mount to the original sever1, not the host server2 specified in the bindmount, very confused now!

root@server2:~# cat /etc/pve/storage.cfg
dir: local
        path /var/lib/vz
        content vztmpl,backup,iso

nfs: isos
        export /mnt/prox-images
        path /mnt/pve/isos
        server server1
        content iso

lvmthin: local-lvm
        thinpool data
        vgname pve
        content images,rootdir

nfs: fog-images
        export /mnt/fog-images
        path /mnt/pve/fog-images
        server server1
        content vztmpl,backup,snippets,images,rootdir,iso
        maxfiles 2

server2:nfsstat -m

/mnt/pve/fog-images from server1:/mnt/fog-images

Flags: rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=172.31.187.56,local_lock=none,addr=172.31.187.51

Container mount point in conf

mp1: /mnt/pve/fog-images,mp=/images

Permissions on server2 mounted folder

ls -al /mnt/pve/

drwxr-xr-x 7 root root    8 Apr 15 09:27 fog-images

drwxr-xr-x 2 root root 4096 Apr 14 16:47 images


Permissions on container folder

root@rmlfog:~# df -h

Filesystem                        Size  Used Avail Use% Mounted on

/dev/mapper/pve-vm--102--disk--0   15G  856M   14G   6% /

server1:/mnt/fog-images           297G     0  297G   0% /images

drwxr-xr-x   7 nobody nogroup     8 Apr 15 08:27 images


root@rmlfog:/images# mount
/dev/mapper/pve-vm--102--disk--0 on / type ext4 (rw,relatime,stripe=16)
server1:/mnt/fog-images on /images type nfs4 (rw,relatime,vers=4.2,rsize=1048576,wsize=1048576,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=172.31.187.56,local_lock=none,addr=172.31.187.51)

 

[rml]

as per https://forum.proxmox.com/threads/advice-for-file-sharing-between-containers.25704/#post-129006

I've tried adding (with no results - i.e. still read only)

root@server2:~# cat /etc/apparmor.d/lxc/lxc-default-with-nfs
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow NFS (nfs/nfs4) mounts.
  mount fstype=nfs*,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}

and reloading with

apparmor_parser -r /etc/apparmor.d/lxc-containers

and to 102.conf
lxc.apparmor.profile: lxc-container-default-with-nfs lxc.apparmor.profile: unconfined

I'll revert these changes for now as it feels like I'm not confident what they're doing

 

[bgv2020]

Any luck on this? LXC with NFS worked fine when I was using version 19.04 Ubuntu but when upgrading to 19.10 Ubuntu it ended up breaking NFS mounts.

Is it possible to disable apparmor completely since Proxmox don't know how to properly have it running?

 

[rml]

I'm not sure it's right to blame proxmox here. For me it's my lack of understanding.

Have you tried a priviledges container with nfs and nesting features turned on?

As for disabling that's in the docs
https://pve.proxmox.com/wiki/Linux_Container