NFS

S

Shaggy

New Member
Feb 13, 2021
9
0
1
32
Probably already a few posts about this.
I am trying to mount an NFS drive to an unprivileged container. When trying to do so, I get this error:
1613306836835.png
My configurations looks like this:
1613306877332.png
and
arch: amd64 cores: 1 cpuunits: 512 hostname: XXXXXXXXX memory: 512 mp0: XXX.XXX.XX.XX:/XXXXX,mp=/home/XXXXXXXXX/XXXXXX net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=XX:XX:XX:XX:XX:XX,typ$ ostype: debian rootfs: services:vm-300-disk-0,size=8G swap: 512 unprivileged: 1 lxc.apparmor.profile: lxc-container-default-with-nfs

Many of the Xs are correct, verified them three different times while comparing with a Stack Exchange post and this Blog post.
Any ideas what I could possibly be doing wrong?
 
To reduce the attack surface, LXC uses many security features like AppArmor, CGroups and kernel namespaces.

AppArmor​

AppArmor profiles are used to restrict access to possibly dangerous actions. Some system calls, i.e. mount, are prohibited from execution.
To trace AppArmor activity, use:
# dmesg | grep apparmor
Although it is not recommended, AppArmor can be disabled for a container. This brings security risks with it. Some syscalls can lead to privilege escalation when executed within a container if the system is misconfigured or if a LXC or Linux Kernel vulnerability exists.
To disable AppArmor for a container, add the following line to the container configuration file located at /etc/pve/lxc/CTID.conf:
lxc.apparmor.profile = unconfined
Please note that this is not recommended for production use.
 
Thanks for the note about Apparmor and the restriction, a type of security implementation. Is there a way to do NFS mounts without disabling Apparmor?
 
Not directly. What you can do is mount a NFS share on your host itself and bind-mount that mountpoint of that NFS share into your LXC.
But because of the user/group remapping you won't have rights to do something on that share unless you set that share to chmod 777 or change the user remapping for the owners of that share. Look here for user remapping.
Thats how I mount my SMB shares into my unprivileged LXCs.
 
Last edited:
  • Like
Reactions: Shaggy
Dunuin said:
Not directly. What you can do is mount a NFS share on your host itself and bind-mount that mountpoint of that NFS share into your LXC.
But because of the user/group remapping you won't have rights to do something on that share unless you set that share to chmod 777 or change the user remapping for the owners of that share. Look here for user remapping.
Thats how I mount my SMB shares into my unprivileged LXCs.
Click to expand...
I feel stupid for not thinking abo that haha
Thanks for that perspective! :)
 
I feel stupid reading that wiki entry - I get the principle but the example makes little sense to me
 
bobmc said:
I feel stupid reading that wiki entry - I get the principle but the example makes little sense to me
Click to expand...
You can make bind mounts that are either unprivileged read-only or write-through.

Read-Only: Make sure no restrictions set up such as permissions for files. Do a basic mount as any other Container.
Write-through: I am having a little bit of a hard time understanding myself but after a little research, I managed to come across this post.

For my operation, I only need to do Read-Only as editing will only happen through a different system all in all.
 
You must log in or register to reply here.
Top Bottom