How to fix ”mount.nfs: access denied …“ when trying to mount a NFS share exported by a Proxmox 5 machine?

Question

I'm trying to mount an NFS share from a Proxmox 5 host and having issues. I have the following two machines:

192.168.1.3    proxmox debian box (nfs-host)
192.168.1.31   ubuntu 16.04 (nfs-client)

Permissions of /mnt/storage (NFS client):

drwxrwxrwx 11 nobody nogroup 4096 Oct  7 10:28 storage

Content of /etc/exports (NFS host):

/mnt/storage 192.168.1.31(rw,sync,no_subtree_check)

Output of showmount -e 192.168.1.3 (NFS client):

Export list for 192.168.1.3:
/mnt/storage 192.168.1.31

Trying to mount from the client fails:

me@client:/mnt/storage$ sudo mount 192.168.1.3:/mnt/storage /mnt/storage
mount.nfs: access denied by server while mounting 192.168.1.3:/mnt/storage

I ran exportfs -ra and restarted the nfs kernel server but still no joy. I also tried all the suggestions in the question mount.nfs: access denied by server while mounting on Ubuntu machines?, but nothing has worked for me. There were only one or two answers at the bottom that had to do with docker and another one that had typo'd IPs, both didn't pertain to me.

I can ping both hosts and both hosts can access the internet and see each other so I don't think it's a network issue.

Now I am seeing these errors inside /var/log/messages on the host:

Oct  7 10:06:36 pve kernel: [44667.325940] audit: type=1400 audit(1507385196.790:23): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/mnt/storage/" pid=15053 comm="mount.nfs4" fstype="nfs4" srcname="192.168.1.3:/export/storage"
Oct  7 10:07:05 pve kernel: [44696.096558] audit: type=1400 audit(1507385225.559:24): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/mnt/storage/" pid=15112 comm="mount.nfs" fstype="nfs" srcname="192.168.1.3:/export/storage"

As requested, here are the contents of all files inside /etc/apparmor.d/lxc/ containing the word mount:

root@host:/etc/apparmor.d/lxc# ll
total 24
drwxr-xr-x 2 root root 4096 Oct  6 13:24 .
drwxr-xr-x 9 root root 4096 Oct  6 13:24 ..
-rw-r--r-- 1 root root  479 Jun 30 05:01 lxc-default
-rw-r--r-- 1 root root  528 Jun 30 05:01 lxc-default-cgns
-rw-r--r-- 1 root root  544 Jun 30 05:01 lxc-default-with-mounting
-rw-r--r-- 1 root root  527 Jun 30 05:01 lxc-default-with-nesting

root@host:/etc/apparmor.d/lxc# cat lxc-default
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
}



root@host:/etc/apparmor.d/lxc# cat lxc-default-cgns
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}



root@host:/etc/apparmor.d/lxc# cat lxc-default-with-mounting
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data.  However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=btrfs,
}



root@host:/etc/apparmor.d/lxc# cat lxc-default-with-nesting
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>

  deny /dev/.lxc/proc/** rw,
  deny /dev/.lxc/sys/** rw,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind),
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}

Answer 1

It looks like AppArmour is kicking in on the server. See the log file messages, which include this phrase:

apparmor="DENIED"

Unfortunately I can only advise you how to switch it off, which I wouldn't recommend. I'll see if I can find some instructions for mediating it...

Answer 2

I made the following configuration changes to /etc/apparmor.d/lxc-default-cgns on the proxmox host and I was able to successfully mount the drive.

/etc/apparmor.d/lxc-default-cgns

  mount fstype=nfs*,
  mount options=(rw, bind, ro),

Answer 3

If you dealing with Proxmox lxc Please try to consider ,there is an option in lxc Feature there is an NFS option

Answer 4

In the /etc/export file on server

/Path/to/export 192.168.1.0/24(rw,sync,fsid=0,no_root_squash,crossmnt,no_subtree_check,no_acl)

Answer 5

Is your container running in "unprivileged" mode? If it is, NFS and Samba functionality is disabled. To change the mode, you will need to stop the container, back it up, then restore it in "privileged" mode. Privileged mode enables the "Features" tab within the "Options" menu. In the "Features" menu, you can enable NFS (and/or Samba).