[SOLVED] Mounting NFS in LXC not working since latest update

karnz

Renowned Member
Nov 23, 2015
60
3
73
I just updated PVE kernel,container to the latest version last night, then NFS mounting in LXC not working anymore.

Package updated
Start-Date: 2018-10-10 02:55:17
Commandline: apt-get dist-upgrade
Install: pve-kernel-4.15.18-7-pve:amd64 (4.15.18-26, automatic)
Upgrade: linux-libc-dev:amd64 (4.9.110-3+deb9u5, 4.9.110-3+deb9u6), libpve-storage-perl:amd64 (5.0-29, 5.0-30), pve-container:amd64 (2.0-27, 2.0-28), pve-kernel-4.15:amd64 (5.2-8, 5.2-10)

I was used the way adding below code to /etc/apparmor.d/lxc/lxc-default-cgns and it works for long time ago but after updated, it's not working.

mount fstype=rpc_pipefs,
mount fstype=nfs,

Log shows different than previous version.

kernel: [ 7157.811635] audit: type=1400 audit(1539128871.260:199): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-116_</var/lib/lxc>" name="/mount_dir" pid=191929 comm="mount.nfs" fstype="nfs" srcname="backup-server:/backup_dir" flags="rw, noatime"

PVE Version

proxmox-ve: 5.2-2 (running kernel: 4.15.18-7-pve)
pve-manager: 5.2-9 (running version: 5.2-9/4b30e8f9)
pve-kernel-4.15: 5.2-10
pve-kernel-4.13: 5.2-2
pve-kernel-4.15.18-7-pve: 4.15.18-26
pve-kernel-4.15.18-5-pve: 4.15.18-24
pve-kernel-4.15.18-4-pve: 4.15.18-23
pve-kernel-4.15.18-1-pve: 4.15.18-19
pve-kernel-4.15.17-3-pve: 4.15.17-14
pve-kernel-4.15.17-2-pve: 4.15.17-10
pve-kernel-4.15.17-1-pve: 4.15.17-9
pve-kernel-4.15.15-1-pve: 4.15.15-6
pve-kernel-4.13.16-4-pve: 4.13.16-51
pve-kernel-4.13.16-3-pve: 4.13.16-50
pve-kernel-4.13.16-2-pve: 4.13.16-48
pve-kernel-4.13.13-2-pve: 4.13.13-33
ceph: 12.2.8-pve1
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-5
libpve-common-perl: 5.0-40
libpve-guest-common-perl: 2.0-18
libpve-http-server-perl: 2.0-11
libpve-storage-perl: 5.0-30
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.2+pve1-2
lxcfs: 3.0.2-2
novnc-pve: 1.0.0-2
proxmox-widget-toolkit: 1.0-20
pve-cluster: 5.0-30
pve-container: 2.0-28
pve-docs: 5.2-8
pve-firewall: 3.0-14
pve-firmware: 2.0-5
pve-ha-manager: 2.0-5
pve-i18n: 1.0-6
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.2-1
pve-xtermjs: 1.0-5
qemu-server: 5.0-36
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.11-pve1~bpo1

I tried to add the same code from lxc-default-cgns to
/var/lib/lxc/116/apparmor/lxc-116_<-var-lib-lxc> but still not working too.

Anyway possible to mount NFS in LXC again?
 
Fixed.

It has to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.
 
Fixed.

It has to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.

Hi Karnz,

I'm trying to follow what you did but I don't get it.
You said to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.

Do you mean to go to /var/lib/lxc/<conatiner number> container and edit the config file by adding this to the end of the config file
lxc.apparmor.profile: lxc-container-default-cgns or is there something I'm missing?

I'm experiencing this same issue after a kernel update. I'm on versioin 5.2-9

Thanks,
Dwain
 
Hi Karnz,

I'm trying to follow what you did but I don't get it.
You said to add profile "lxc.apparmor.profile: lxc-container-default-cgns" to each LXC ID config file.

Do you mean to go to /var/lib/lxc/<conatiner number> container and edit the config file by adding this to the end of the config file
lxc.apparmor.profile: lxc-container-default-cgns or is there something I'm missing?

I'm experiencing this same issue after a kernel update. I'm on versioin 5.2-9

Thanks,
Dwain

Yes, add it to the end of config file, but config directory is /etc/pve/lxc/
 
Yes, add it to the end of config file, but config directory is /etc/pve/lxc/

Hi Karnz,

That worked. I added the configuration to all my lxc's that needs it restarted the container to the config can be loaded and my nfs mounts are now mounted.

Many thanks to you!
Dwain
 
  • Like
Reactions: karnz
Update Nov 1st 2018:
During my monthly server maintenance, I ran into this error again and found a similar solution.

Instead of adding the below and entry into each lxc container to allow NFS mounting due to apparmor security:
/etc/pve/lxc/<lxcname>.conf
lxc.apparmor.profile: lxc-container-default-cgns


The right config is to enable the nesting features into each lxc container. I replaced all my entries with the below and I'm able to mount NFS again:
/etc/pve/lxc/<lxcname>.conf
features: nesting=1

Reference link to this:
https://forum.proxmox.com/threads/lxc-security-nesting.44726/#post-224873
 
Thanks for update. I tried to add "features: nesting=1" to my LXC config and it works for me too :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!