[SOLVED] Mounting NFS in LXC not working since latest update

karnz

Active Member
Nov 23, 2015
36
1
28
I just updated PVE kernel,container to the latest version last night, then NFS mounting in LXC not working anymore.

Package updated
Start-Date: 2018-10-10 02:55:17
Commandline: apt-get dist-upgrade
Install: pve-kernel-4.15.18-7-pve:amd64 (4.15.18-26, automatic)
Upgrade: linux-libc-dev:amd64 (4.9.110-3+deb9u5, 4.9.110-3+deb9u6), libpve-storage-perl:amd64 (5.0-29, 5.0-30), pve-container:amd64 (2.0-27, 2.0-28), pve-kernel-4.15:amd64 (5.2-8, 5.2-10)
I was used the way adding below code to /etc/apparmor.d/lxc/lxc-default-cgns and it works for long time ago but after updated, it's not working.

mount fstype=rpc_pipefs,
mount fstype=nfs,
Log shows different than previous version.

kernel: [ 7157.811635] audit: type=1400 audit(1539128871.260:199): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-116_</var/lib/lxc>" name="/mount_dir" pid=191929 comm="mount.nfs" fstype="nfs" srcname="backup-server:/backup_dir" flags="rw, noatime"
PVE Version

proxmox-ve: 5.2-2 (running kernel: 4.15.18-7-pve)
pve-manager: 5.2-9 (running version: 5.2-9/4b30e8f9)
pve-kernel-4.15: 5.2-10
pve-kernel-4.13: 5.2-2
pve-kernel-4.15.18-7-pve: 4.15.18-26
pve-kernel-4.15.18-5-pve: 4.15.18-24
pve-kernel-4.15.18-4-pve: 4.15.18-23
pve-kernel-4.15.18-1-pve: 4.15.18-19
pve-kernel-4.15.17-3-pve: 4.15.17-14
pve-kernel-4.15.17-2-pve: 4.15.17-10
pve-kernel-4.15.17-1-pve: 4.15.17-9
pve-kernel-4.15.15-1-pve: 4.15.15-6
pve-kernel-4.13.16-4-pve: 4.13.16-51
pve-kernel-4.13.16-3-pve: 4.13.16-50
pve-kernel-4.13.16-2-pve: 4.13.16-48
pve-kernel-4.13.13-2-pve: 4.13.13-33
ceph: 12.2.8-pve1
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-40
libpve-guest-common-perl: 2.0-18
libpve-http-server-perl: 2.0-11
libpve-storage-perl: 5.0-30
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.2+pve1-2
lxcfs: 3.0.2-2
novnc-pve: 1.0.0-2
proxmox-widget-toolkit: 1.0-20
pve-cluster: 5.0-30
pve-container: 2.0-28
pve-docs: 5.2-8
pve-firewall: 3.0-14
pve-firmware: 2.0-5
pve-ha-manager: 2.0-5
pve-i18n: 1.0-6
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.2-1
pve-xtermjs: 1.0-5
qemu-server: 5.0-36
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.11-pve1~bpo1
I tried to add the same code from lxc-default-cgns to
/var/lib/lxc/116/apparmor/lxc-116_<-var-lib-lxc> but still not working too.

Anyway possible to mount NFS in LXC again?
 

karnz

Active Member
Nov 23, 2015
36
1
28
Fixed.

It has to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.
 

Dwain

New Member
Jul 13, 2018
6
3
3
39
Fixed.

It has to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.
Hi Karnz,

I'm trying to follow what you did but I don't get it.
You said to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.

Do you mean to go to /var/lib/lxc/<conatiner number> container and edit the config file by adding this to the end of the config file
lxc.apparmor.profile: lxc-container-default-cgns or is there something I'm missing?

I'm experiencing this same issue after a kernel update. I'm on versioin 5.2-9

Thanks,
Dwain
 

karnz

Active Member
Nov 23, 2015
36
1
28
Hi Karnz,

I'm trying to follow what you did but I don't get it.
You said to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.

Do you mean to go to /var/lib/lxc/<conatiner number> container and edit the config file by adding this to the end of the config file
lxc.apparmor.profile: lxc-container-default-cgns or is there something I'm missing?

I'm experiencing this same issue after a kernel update. I'm on versioin 5.2-9

Thanks,
Dwain
Yes, add it to the end of config file, but config directory is /etc/pve/lxc/
 

Dwain

New Member
Jul 13, 2018
6
3
3
39
Yes, add it to the end of config file, but config directory is /etc/pve/lxc/
Hi Karnz,

That worked. I added the configuration to all my lxc's that needs it restarted the container to the config can be loaded and my nfs mounts are now mounted.

Many thanks to you!
Dwain
 
  • Like
Reactions: karnz

Dwain

New Member
Jul 13, 2018
6
3
3
39
Update Nov 1st 2018:
During my monthly server maintenance, I ran into this error again and found a similar solution.

Instead of adding the below and entry into each lxc container to allow NFS mounting due to apparmor security:
/etc/pve/lxc/<lxcname>.conf
lxc.apparmor.profile: lxc-container-default-cgns


The right config is to enable the nesting features into each lxc container. I replaced all my entries with the below and I'm able to mount NFS again:
/etc/pve/lxc/<lxcname>.conf
features: nesting=1

Reference link to this:
https://forum.proxmox.com/threads/lxc-security-nesting.44726/#post-224873
 

karnz

Active Member
Nov 23, 2015
36
1
28
Thanks for update. I tried to add "features: nesting=1" to my LXC config and it works for me too :)
 

CharlesErickT

Member
Mar 15, 2017
52
5
8
27
Now you can just enable NFS/CIFS mounting from the webui under Options-Feature instead of enabling nesting
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!