@ro55mo off the topic, do you know how to make nfs mounts work friendly with containers in proxmox ( I’ve set up the nfs share from “node” -> containers/vms) it used to work until i updated the node (am stupido) now apparmor.d denies my nfs mounting for some unknown reason and I have added the overrides for my mount permissions inside apparmor.d/lxc/lxc-default-custom that gets loaded from withing the lxc config in etc/pve/lxc/[id].conf @wendell @SgtAwesomesauce help please guys
It’s outside my experience I am afraid.
Use a VM if you want network mounts.
Also, I don’t really mess with AppArmor. I’m a RHEL guy, so I really only mess with SELinux.
Proxmox has KSM, so identical memory pages will be merged into one to save RAM.
I’ve tried to make for example centos with nfs share and tried to mount it in another proxmox container, same thing, ill try to do vm->vm nfs share to see if it works
atm just tested mounting my nfs share from “node” to vm, it works … why doesnt it work in container
I guess ill have to make new vm for each service (emby/nextcloud/node) the reason i used containers cuz they have template with all the things i need. also is it good this way that am doing (mounting pv on “node” and then sharing it with nfs to other vms?)
Okay, try this:
edit /etc/apparmor.d/lxc/lxc-default-cgns
Add the following:
mount fstype=nfs,
mount fstype=nfs4,
mount fstype=nfsd,
mount fstype=rpc_pipefs,
This should allow you to mount NFS shares.
Then restart the apparmor service (or reboot proxmox)
doesnt work, it used to work yesterday before i updated the node …
Did you check that they’re still there?
who?
configs?
Yes, the config line entries.
all there, updater asked my (the confilcted things: what i wanted to do, i examined and kept mine (no diff in other lines except mine additions)) so it was good looking thing, but now its just not allowing me to mount for some reason…
What’s the error?
on client
mount.nfs: access denied by server while mounting [ip_of_host]:/[share]
in syslog of host
Nov 08 20:08:33 home audit[5503]: AVC apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxc-100_</var/lib/lxc>” name="/media/srvstorage/" pid=5503 comm=“mount.nfs” fstype=“nfs” srcname=“192.168.1.10:/media/srvstorage”
Nov 08 20:08:33 home kernel: audit: type=1400 audit(1541704113.942:55): apparmor=“DENIED” operation=“mount” info=“failed flags match” error=-13 profile=“lxc-100_</var/lib/lxc>” name="/media/srvstorage/" pid=5503 comm=“mount.nfs” fstype=“nfs” srcname="192.168.1.10:/media/srvstorage
Okay, what’s in your /etc/pve/lxc/<container-id>.conf
? (fill in the id of a container)
arch: amd64
cores: 2
hostname: emby
memory: 1024
net0: name=eth0,bridge=vmbr0,hwaddr=DE:E4:97:C4:ED:2E,type=veth
ostype: debian
rootfs: local-lvm:vm-100-disk-1,size=8G
swap: 512
unused0: local-lvm:vm-100-disk-2
lxc.aa.profile: lxc-default-cgns
Hmmm, okay.
Looks good to me. Can you share everything in your /etc/apparmor.d/lxc/lxc-default-cgns
? This should be working.
fixed typo its not working still
root@home:~# cat /etc/apparmor.d/lxc/lxc-default-cgns
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=nfs,
mount fstype=rpc_pipefs,
mount fstype=nfsd,
mount fstype=nfs4,
mount options=(rw, bind, ro),
}
So, your container profile above is lxc-default-cgns
and the profile here is lxc-container-default-cgns
. Try switching the profile in your emby container configuration file.
fixed typo, doesnt work, again
Try lxc.apparmor.profile: lxc-container-default-cgns
It looks like they deprecated lxc.aa.profile