Mounting NFS in an LXC container

@ro55mo off the topic, do you know how to make nfs mounts work friendly with containers in proxmox ( I’ve set up the nfs share from “node” -> containers/vms) it used to work until i updated the node (am stupido) now apparmor.d denies my nfs mounting for some unknown reason and I have added the overrides for my mount permissions inside apparmor.d/lxc/lxc-default-custom that gets loaded from withing the lxc config in etc/pve/lxc/[id].conf @wendell @SgtAwesomesauce help please guys

It’s outside my experience I am afraid.

Use a VM if you want network mounts.

Also, I don’t really mess with AppArmor. I’m a RHEL guy, so I really only mess with SELinux.

Proxmox has KSM, so identical memory pages will be merged into one to save RAM.

I’ve tried to make for example centos with nfs share and tried to mount it in another proxmox container, same thing, ill try to do vm->vm nfs share to see if it works

atm just tested mounting my nfs share from “node” to vm, it works … why doesnt it work in container :confused:
I guess ill have to make new vm for each service (emby/nextcloud/node) the reason i used containers cuz they have template with all the things i need. also is it good this way that am doing (mounting pv on “node” and then sharing it with nfs to other vms?)

Okay, try this:

edit /etc/apparmor.d/lxc/lxc-default-cgns

Add the following:

  mount fstype=nfs,
  mount fstype=nfs4,
  mount fstype=nfsd,
  mount fstype=rpc_pipefs,

This should allow you to mount NFS shares.

Then restart the apparmor service (or reboot proxmox)

doesnt work, it used to work yesterday before i updated the node …

Did you check that they’re still there?

who?
configs?

Yes, the config line entries.

all there, updater asked my (the confilcted things: what i wanted to do, i examined and kept mine (no diff in other lines except mine additions)) so it was good looking thing, but now its just not allowing me to mount for some reason…

What’s the error?

on client

mount.nfs: access denied by server while mounting [ip_of_host]:/[share]

in syslog of host

Nov 08 20:08:33 home audit[5503]: AVC apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxc-100_</var/lib/lxc>” name="/media/srvstorage/" pid=5503 comm=“mount.nfs” fstype=“nfs” srcname=“192.168.1.10:/media/srvstorage”
Nov 08 20:08:33 home kernel: audit: type=1400 audit(1541704113.942:55): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxc-100_</var/lib/lxc>” name="/media/srvstorage/" pid=5503 comm=“mount.nfs” fstype=“nfs” srcname="192.168.1.10:/media/srvstorage

Okay, what’s in your /etc/pve/lxc/<container-id>.conf? (fill in the id of a container)

arch: amd64
cores: 2
hostname: emby
memory: 1024
net0: name=eth0,bridge=vmbr0,hwaddr=DE:E4:97:C4:ED:2E,type=veth
ostype: debian
rootfs: local-lvm:vm-100-disk-1,size=8G
swap: 512
unused0: local-lvm:vm-100-disk-2
lxc.aa.profile: lxc-default-cgns

Hmmm, okay.

Looks good to me. Can you share everything in your /etc/apparmor.d/lxc/lxc-default-cgns? This should be working.

fixed typo its not working still

[email protected]:~# cat /etc/apparmor.d/lxc/lxc-default-cgns

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=nfs,
  mount fstype=rpc_pipefs,
  mount fstype=nfsd,
  mount fstype=nfs4,
  mount options=(rw, bind, ro),
}

So, your container profile above is lxc-default-cgns and the profile here is lxc-container-default-cgns. Try switching the profile in your emby container configuration file.

fixed typo, doesnt work, again

Try lxc.apparmor.profile: lxc-container-default-cgns

It looks like they deprecated lxc.aa.profile