[SOLVED] NFS Client in unprivileged container?

[mac.1]

Hey. is it possible to have a nfs client inside an unprivileged lxc container ?
Me trying to do so will always return:
```
mount -vvv -t nfs -o 'vers=4.2' 10.xxx.xxx.2:/srv/nfs/shared /var/lib/minidlna/
mount.nfs: timeout set for Sun Apr 7 18:47:33 2019
mount.nfs: trying text-based options 'vers=4.2,addr=10.xxx.xxx.2,clientaddr=10.xxx.xxx.7'
mount.nfs: mount(2): Operation not permitted
mount.nfs: Operation not permitted
```
I already tried to play around with apparmor profiles, but somehow nothing helped.
I can mount them from the host itself and from another pc in lan.
I also dont get apparmor messages in /var/log/messages, but i get those when booting up the container:
```
Apr 7 21:46:02 server kernel: [1126704.839359] audit: type=1400 audit(1554666362.329:361): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/bin/man" pid=32400 comm="apparmor_$
Apr 7 21:46:02 server kernel: [1126704.839370] audit: type=1400 audit(1554666362.329:362): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="man_filter" pid=32400 comm="apparmor_pa$
Apr 7 21:46:02 server kernel: [1126704.839372] audit: type=1400 audit(1554666362.329:363): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="man_groff" pid=32400 comm="apparmor_par$
Apr 7 21:46:02 server kernel: [1126704.841096] audit: type=1400 audit(1554666362.329:364): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/sbin/tcpdump" pid=32402 comm="appa$
Apr 7 21:46:02 server kernel: [1126704.842833] audit: type=1400 audit(1554666362.333:365): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/sbin/dhclient" pid=32399 comm="apparmo$
Apr 7 21:46:02 server kernel: [1126704.842836] audit: type=1400 audit(1554666362.333:366): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.$
Apr 7 21:46:02 server kernel: [1126704.842838] audit: type=1400 audit(1554666362.333:367): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper"$
Apr 7 21:46:02 server kernel: [1126704.842840] audit: type=1400 audit(1554666362.333:368): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/lib/connman/scripts/dhclient-scrip$
```
Did someone has the same problems and has found a way to solve it ?
Via Appamor without disabling everything or make the containers privileged?
Or is it even possible at all ?

As an alternative: Is it a good idea to mount the same folder into different containers at the same time ?

 

[Stoiko Ivanov]

Hey. is it possible to have a nfs client inside an unprivileged lxc container ?

put shortly - this is not possible (NFS has no support for user namespaces (yet)).

you can mount the nfs-share on the host and use a bindmount into the container

hope this helps!

 

[mac.1]

Okay, thank you.
I was starting to think that i was just doing something wrong and it worked for all the others.
Thanks for clearing it.
The thing is that i need to mount the same folder into multiple container, but it that works without problems it's perfect

 

[jim.bond.9862]

You can bind mount the same folder into many containers. The only issue is if multiple containers try to update the same file at the same time. But it is the same issue for any shared resource.

If you need to share the folder with other clients like VMs or network PCs. Than you can try the turnkey file server container available as a template. You can create a container using that template, bind mount your folder there and than share it using nfs and Samba to any non CT client on network.