[SOLVED] NFS Client in unprivileged container?

mac.1

New Member
Jan 19, 2019
5
8
1
31
Hey. is it possible to have a nfs client inside an unprivileged lxc container ?
Me trying to do so will always return:
```
mount -vvv -t nfs -o 'vers=4.2' 10.xxx.xxx.2:/srv/nfs/shared /var/lib/minidlna/
mount.nfs: timeout set for Sun Apr 7 18:47:33 2019
mount.nfs: trying text-based options 'vers=4.2,addr=10.xxx.xxx.2,clientaddr=10.xxx.xxx.7'
mount.nfs: mount(2): Operation not permitted
mount.nfs: Operation not permitted
```
I already tried to play around with apparmor profiles, but somehow nothing helped.
I can mount them from the host itself and from another pc in lan.
I also dont get apparmor messages in /var/log/messages, but i get those when booting up the container:
```
Apr 7 21:46:02 server kernel: [1126704.839359] audit: type=1400 audit(1554666362.329:361): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/bin/man" pid=32400 comm="apparmor_$
Apr 7 21:46:02 server kernel: [1126704.839370] audit: type=1400 audit(1554666362.329:362): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="man_filter" pid=32400 comm="apparmor_pa$
Apr 7 21:46:02 server kernel: [1126704.839372] audit: type=1400 audit(1554666362.329:363): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="man_groff" pid=32400 comm="apparmor_par$
Apr 7 21:46:02 server kernel: [1126704.841096] audit: type=1400 audit(1554666362.329:364): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/sbin/tcpdump" pid=32402 comm="appa$
Apr 7 21:46:02 server kernel: [1126704.842833] audit: type=1400 audit(1554666362.333:365): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/sbin/dhclient" pid=32399 comm="apparmo$
Apr 7 21:46:02 server kernel: [1126704.842836] audit: type=1400 audit(1554666362.333:366): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/lib/NetworkManager/nm-dhcp-client.$
Apr 7 21:46:02 server kernel: [1126704.842838] audit: type=1400 audit(1554666362.333:367): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/lib/NetworkManager/nm-dhcp-helper"$
Apr 7 21:46:02 server kernel: [1126704.842840] audit: type=1400 audit(1554666362.333:368): apparmor="STATUS" operation="profile_load" label="lxc-109_</var/lib/lxc>//&:lxc-109_<-var-lib-lxc>:unconfined" name="/usr/lib/connman/scripts/dhclient-scrip$
```
Did someone has the same problems and has found a way to solve it ?
Via Appamor without disabling everything or make the containers privileged?
Or is it even possible at all ?

As an alternative: Is it a good idea to mount the same folder into different containers at the same time ?
 
Hey. is it possible to have a nfs client inside an unprivileged lxc container ?
put shortly - this is not possible (NFS has no support for user namespaces (yet)).

you can mount the nfs-share on the host and use a bindmount into the container

hope this helps!
 
  • Like
Reactions: mac.1
Okay, thank you.
I was starting to think that i was just doing something wrong and it worked for all the others.
Thanks for clearing it.
The thing is that i need to mount the same folder into multiple container, but it that works without problems it's perfect
 
You can bind mount the same folder into many containers. The only issue is if multiple containers try to update the same file at the same time. But it is the same issue for any shared resource.

If you need to share the folder with other clients like VMs or network PCs. Than you can try the turnkey file server container available as a template. You can create a container using that template, bind mount your folder there and than share it using nfs and Samba to any non CT client on network.
 
  • Like
Reactions: mac.1

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!