[SOLVED] Mounting NFS in LXC not working since latest update

[karnz]

I just updated PVE kernel,container to the latest version last night, then NFS mounting in LXC not working anymore.

Package updated

Start-Date: 2018-10-10 02:55:17
Commandline: apt-get dist-upgrade
Install: pve-kernel-4.15.18-7-pve:amd64 (4.15.18-26, automatic)
Upgrade: linux-libc-dev:amd64 (4.9.110-3+deb9u5, 4.9.110-3+deb9u6), libpve-storage-perl:amd64 (5.0-29, 5.0-30), pve-container:amd64 (2.0-27, 2.0-28), pve-kernel-4.15:amd64 (5.2-8, 5.2-10)

I was used the way adding below code to /etc/apparmor.d/lxc/lxc-default-cgns and it works for long time ago but after updated, it's not working.

mount fstype=rpc_pipefs,
mount fstype=nfs,

Log shows different than previous version.

kernel: [ 7157.811635] audit: type=1400 audit(1539128871.260:199): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-116_</var/lib/lxc>" name="/mount_dir" pid=191929 comm="mount.nfs" fstype="nfs" srcname="backup-server:/backup_dir" flags="rw, noatime"

PVE Version

proxmox-ve: 5.2-2 (running kernel: 4.15.18-7-pve)
pve-manager: 5.2-9 (running version: 5.2-9/4b30e8f9)
pve-kernel-4.15: 5.2-10
pve-kernel-4.13: 5.2-2
pve-kernel-4.15.18-7-pve: 4.15.18-26
pve-kernel-4.15.18-5-pve: 4.15.18-24
pve-kernel-4.15.18-4-pve: 4.15.18-23
pve-kernel-4.15.18-1-pve: 4.15.18-19
pve-kernel-4.15.17-3-pve: 4.15.17-14
pve-kernel-4.15.17-2-pve: 4.15.17-10
pve-kernel-4.15.17-1-pve: 4.15.17-9
pve-kernel-4.15.15-1-pve: 4.15.15-6
pve-kernel-4.13.16-4-pve: 4.13.16-51
pve-kernel-4.13.16-3-pve: 4.13.16-50
pve-kernel-4.13.16-2-pve: 4.13.16-48
pve-kernel-4.13.13-2-pve: 4.13.13-33
ceph: 12.2.8-pve1
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-40
libpve-guest-common-perl: 2.0-18
libpve-http-server-perl: 2.0-11
libpve-storage-perl: 5.0-30
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.2+pve1-2
lxcfs: 3.0.2-2
novnc-pve: 1.0.0-2
proxmox-widget-toolkit: 1.0-20
pve-cluster: 5.0-30
pve-container: 2.0-28
pve-docs: 5.2-8
pve-firewall: 3.0-14
pve-firmware: 2.0-5
pve-ha-manager: 2.0-5
pve-i18n: 1.0-6
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.2-1
pve-xtermjs: 1.0-5
qemu-server: 5.0-36
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.11-pve1~bpo1

I tried to add the same code from lxc-default-cgns to
/var/lib/lxc/116/apparmor/lxc-116_<-var-lib-lxc> but still not working too.

Anyway possible to mount NFS in LXC again?

 

[karnz]

Fixed.

It has to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.

 

[Dwain]

Fixed.

It has to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.

Hi Karnz,

I'm trying to follow what you did but I don't get it.
You said to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.

Do you mean to go to /var/lib/lxc/<conatiner number> container and edit the config file by adding this to the end of the config file
lxc.apparmor.profile: lxc-container-default-cgns or is there something I'm missing?

I'm experiencing this same issue after a kernel update. I'm on versioin 5.2-9

Thanks,
Dwain

 

[karnz]

Hi Karnz,

I'm trying to follow what you did but I don't get it.
You said to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.

Do you mean to go to /var/lib/lxc/<conatiner number> container and edit the config file by adding this to the end of the config file
lxc.apparmor.profile: lxc-container-default-cgns or is there something I'm missing?

I'm experiencing this same issue after a kernel update. I'm on versioin 5.2-9

Thanks,
Dwain

Yes, add it to the end of config file, but config directory is /etc/pve/lxc/

 

[Dwain]

Yes, add it to the end of config file, but config directory is /etc/pve/lxc/

Hi Karnz,

That worked. I added the configuration to all my lxc's that needs it restarted the container to the config can be loaded and my nfs mounts are now mounted.

Many thanks to you!
Dwain

 

[Dwain]

Update Nov 1st 2018:
During my monthly server maintenance, I ran into this error again and found a similar solution.

Instead of adding the below and entry into each lxc container to allow NFS mounting due to apparmor security:
/etc/pve/lxc/<lxcname>.conf
lxc.apparmor.profile: lxc-container-default-cgns

The right config is to enable the nesting features into each lxc container. I replaced all my entries with the below and I'm able to mount NFS again:
/etc/pve/lxc/<lxcname>.conf
features: nesting=1

Reference link to this:
https://forum.proxmox.com/threads/lxc-security-nesting.44726/#post-224873

 

[karnz]

Thanks for update. I tried to add "features: nesting=1" to my LXC config and it works for me too

 

[madralphw]

Perfect!! Thanks ;-)

 

[CharlesErickT]

Now you can just enable NFS/CIFS mounting from the webui under Options-Feature instead of enabling nesting

 

[lagomorph42]

Now you can just enable NFS/CIFS mounting from the webui under Options-Feature instead of enabling nesting

Enabling this option worked for me.

 

[starkruzr]

Now you can just enable NFS/CIFS mounting from the webui under Options-Feature instead of enabling nesting

I'm running 6.1-8 and don't have this available. Is there something you have to do to enable it?

 

[Dwain]

I'm running 6.1-8 and don't have this available. Is there something you have to do to enable it?

I'm on 6.1-7 and I can see the Features nesting option under the Container.

Can you send a screenshot of the Options section for your container?

If you don't see it in 6.1-8 you might want to try updating the config using my previous method:
https://forum.proxmox.com/threads/m...working-since-latest-update.47815/post-227096

 

[starkruzr]

@Dwain thanks -- that's how I did it, your old method.

 

[chicagonyc]

With 7.4, I needed to enable nesting even after enabling NFS to access those shares.