Hello,
Prior to PVE 7.X I used the modified lxc profile (see below) to allow LXC containers to be able to mount and serve NFS. Now this refuses to work (Permission Denied). Any thoughts on this?
/etc/apparmor.d/lxc/lxc-default-with-nfsd
In /etc/pve/lxc/XXX.conf
Prior to PVE 7.X I used the modified lxc profile (see below) to allow LXC containers to be able to mount and serve NFS. Now this refuses to work (Permission Denied). Any thoughts on this?
/etc/apparmor.d/lxc/lxc-default-with-nfsd
Code:
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-with-nfsd flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
#mount fstype=nfs,
#mount fstype=nfs4,
mount fstype=nfsd,
mount fstype=rpc_pipefs,
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=cgroup2 -> /sys/fs/cgroup/**,
mount fstype=autofs,
mount options=(rw, bind, ro),
}In /etc/pve/lxc/XXX.conf
Code:
lxc.apparmor.profile: lxc-container-default-with-nfsd
Code:
Dec 27 16:20:53 vmhost02 kernel: [14837.614490] audit: type=1400 audit(1640650853.480:66): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfsd" name="/" pid=442308 comm="(chronyd)" flags="rw, rslave"
Dec 27 16:20:53 vmhost02 kernel: [14837.635712] audit: type=1400 audit(1640650853.500:67): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfsd" name="/" pid=442324 comm="(y-helper)" flags="rw, rslave"
Dec 27 17:08:19 vmhost02 kernel: [17683.905807] audit: type=1400 audit(1640653699.790:68): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-default-with-nfsd" pid=482211 comm="lxc-start"
Dec 27 17:08:43 vmhost02 kernel: [17707.696831] audit: type=1400 audit(1640653723.583:69): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-default-with-nfsd" pid=482710 comm="lxc-start"
Dec 27 17:10:42 vmhost02 kernel: [17826.279642] audit: type=1400 audit(1640653842.168:70): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-default-with-nfsd" pid=484524 comm="lxc-start"
Dec 27 17:12:06 vmhost02 kernel: [17910.228992] audit: type=1400 audit(1640653926.120:76): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-default-with-nfsd" pid=486039 comm="lxc-start"
Dec 27 17:16:34 vmhost02 kernel: [18178.976172] audit: type=1400 audit(1640654194.866:79): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-default-with-nfsd" pid=491418 comm="lxc-start"
Dec 27 17:18:39 vmhost02 kernel: [18304.094908] audit: type=1400 audit(1640654319.987:80): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-default-with-nfsd" pid=493307 comm="lxc-start"
Dec 27 17:21:45 vmhost02 kernel: [ 71.109135] audit: type=1400 audit(1640654505.289:21): apparmor="DENIED" operation="change_profile" info="label not found" error=-2 profile="/usr/bin/lxc-start" name="lxc-default-with-nfsd" pid=3568 comm="lxc-start"