Unprivileged LXC CentOS 7 NFS server woes with AppArmor and D-Bus

M

matthew02

Member
May 3, 2019
7
0
6
I'm trying to set up a file server (NFS now, Samba after) in a CentOS 7 container, without making it privileged. The NFS service won't start because of dependency issues with RPC Pipe which will not mount (says permission denied).

Jun 08 19:01:56 shoebox mount[76]: mount: permission denied
Jun 08 19:01:56 shoebox systemd[1]: var-lib-nfs-rpc_pipefs.mount mount process exited, code=exited status=32
Jun 08 19:01:56 shoebox systemd[1]: Failed to mount RPC Pipe File System.
-- Subject: Unit var-lib-nfs-rpc_pipefs.mount has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit var-lib-nfs-rpc_pipefs.mount has failed.
--
-- The result is failed.
Jun 08 19:01:56 shoebox systemd[1]: Dependency failed for rpc_pipefs.target.
-- Subject: Unit rpc_pipefs.target has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit rpc_pipefs.target has failed.
--
-- The result is dependency.
Jun 08 19:01:56 shoebox systemd[1]: Dependency failed for RPC security service for NFS client and server.
-- Subject: Unit rpc-gssd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit rpc-gssd.service has failed.
--
-- The result is dependency.
Jun 08 19:01:56 shoebox systemd[1]: Job rpc-gssd.service/start failed with result 'dependency'.
Jun 08 19:01:56 shoebox systemd[1]: Job rpc_pipefs.target/start failed with result 'dependency'.
Jun 08 19:01:56 shoebox systemd[1]: Unit var-lib-nfs-rpc_pipefs.mount entered failed state.
Jun 08 19:01:56 shoebox systemd[1]: Started Update UTMP about System Boot/Shutdown.

I've found some seemingly relevant information.
https://forum.proxmox.com/threads/nfs-file-system-mount-problem-apparmor.31706/
https://unix.stackexchange.com/ques...containers-to-mount-nfs-shares-on-the-network
https://github.com/ehough/docker-nfs-server/blob/develop/doc/feature/apparmor.md
https://github.com/lxc/lxd/issues/3096
https://github.com/lxc/lxd/issues/2703

In an effort to modify the container's apparmor profile, I went to the parent node, added the following file ...
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
mount fstype=nfs*,
mount fstype=rpc_pipefs,
}
edited this one...
arch: amd64
cores: 1
hostname: shoebox
memory: 512
mp0: /data,mp=/data
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=B6:AE:5F:BC:77:5B,ip=dhcp,ip6=dhcp,type=veth
ostype: centos
rootfs: local-lvm:vm-120-disk-0,size=1G
swap: 512
unprivileged: 1
lxc.apparmor.profile: lxc-container-default-with-nfs
ran
Code: 
apparmor_parser -r -W /etc/apparmor.d/lxc/lxc-default-with-nfs
systemctl restart apparmor.service
and restarted the container.

Now back to the container and systemd will not start (no journal) and D-Bus isn't running.

-- The start-up result is done.
Jun 08 15:48:21 capitolium pct[787]: <root@pam> end task UPID:capitolium:00000314:01A52BE2:5CFC1F12:vzstart:120:root@pam: OK
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/systemd/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/systemd/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.188:171): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/systemd/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.192:172): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/systemd/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.196:173): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/net_cls,net_prio/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.196:174): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/pids/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.196:175): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/rdma/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.196:176): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/perf_event/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.196:177): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/freezer/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.196:178): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/cpuset/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.196:179): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/memory/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium kernel: audit: type=1400 audit(1560026901.196:180): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/hugetlb/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/net_cls,net_prio/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/pids/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/rdma/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/perf_event/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/freezer/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/cpuset/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/memory/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/hugetlb/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/cpu,cpuacct/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/devices/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 08 15:48:21 capitolium audit[924]: AVC apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-default-with-nfs" name="/sys/fs/cgroup/blkio/" pid=924 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"

Any ideas? I'd really like to stick with this container for now and push through this if possible, if for no other reason than to learn something. I'm just stuck and seriously lacking in AppArmor knowledge. Thanks for reading!

Edit: Added some information and fixed some truncated lines from journalctl.
 
Last edited:
Hello there,

My past tinkering with NFS inside containers was with privilege containers. Now correct me if I'm wrong here but technically speaking, Kernel NFS isn't namespace. So even though you may get AppArmor properly configured, you may still run into further issues, e.g. Operation not Permitted.

With that side, FWIW, here's my AppArmor configuration:

Code: 
profile lxc-container-default-with-nfsd flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=nfsd,
  mount fstype=rpc_pipefs,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}

Regards
 
  • Like
Reactions: matthew02
lhorace said:
Hello there,

My past tinkering with NFS inside containers was with privilege containers. Now correct me if I'm wrong here but technically speaking, Kernel NFS isn't namespace. So even though you may get AppArmor properly configured, you may still run into further issues, e.g. Operation not Permitted.
Click to expand...

Thanks for the reply. I'm very new to Proxmox and I'll quickly admit that I'm out of my depth here, so I imagine it's very possible that what I'm trying to do will not work at all. If that's the case and I need to run a privileged container or a virtual machine for this file server, I'll concede that. The only reason I thought I could make it work otherwise is because it seems like others have done so. I tried your AppArmor config and it didn't work either. In fact, I cannot even use any of the default configs that come with Proxmox. The container will start, but AppArmor denies all mounts in the config file. Do you have any ideas about that? Thanks again for your help. I really appreciate it.

Code: 
Jun 09 13:11:06 capitolium kernel: audit: type=1400 audit(1560103866.719:333): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfs" name="/sys/fs/cgroup/freezer/" pid=12721 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 09 13:11:06 capitolium kernel: audit: type=1400 audit(1560103866.719:334): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfs" name="/sys/fs/cgroup/perf_event/" pid=12721 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 09 13:11:06 capitolium kernel: audit: type=1400 audit(1560103866.719:335): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfs" name="/sys/fs/cgroup/devices/" pid=12721 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 09 13:11:06 capitolium kernel: audit: type=1400 audit(1560103866.719:336): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfs" name="/sys/fs/cgroup/hugetlb/" pid=12721 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 09 13:11:06 capitolium kernel: audit: type=1400 audit(1560103866.719:337): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfs" name="/sys/fs/cgroup/memory/" pid=12721 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 09 13:11:06 capitolium kernel: audit: type=1400 audit(1560103866.719:338): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfs" name="/sys/fs/cgroup/cpu,cpuacct/" pid=12721 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 09 13:11:06 capitolium kernel: audit: type=1400 audit(1560103866.719:339): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfs" name="/sys/fs/cgroup/net_cls,net_prio/" pid=12721 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
Jun 09 13:11:06 capitolium kernel: audit: type=1400 audit(1560103866.719:340): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-with-nfs" name="/sys/fs/cgroup/cpuset/" pid=12721 comm="systemd" fstype="cgroup" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
 
Out of a privileged container or a virtual machine, which option would you consider preferable? Is it as simple as lower resource usage / lower security vs higher resource usage / higher security? How much risk is there with a privileged container and is there any way to harden it?
 
Hmm... I can't even get it to work in a privileged container. In fact, I can't even get the Debian TurnKey File Server to work in a privileged container with NFS enabled in features. I'm officially lost now.

Edit: It works if I set the AppArmor profile to unconfined, but that seems like a really poor idea. I'm encouraged to keep trying to work through this, though.
 
Last edited:
Did you compare and contrast what I have with what you included in your AppArmor profile? Seems to me you are overlooking the last parameter. Unless you did included it in you AppArmor profile and it's still failing? WorksForMe (tm) with ArchLinux.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom