4

This question is very similar to How to fix ”mount.nfs: access denied …“ when trying to mount a NFS share exported by a Proxmox 5 machine?.

On a Proxmox LXC container I'm trying to mount a NFS share located on a different physical machine on the network. In /etc/fstab I've got this line:

192.168.0.4:/mnt/Pool1/homes     /home     nfs     auto,rw,hard     0 0

Running mount /home fails with the following output:

mount.nfs: access denied by server while mounting 192.168.0.4:/mnt/Pool1/homes

Output of mount -v /home:

mount.nfs: timeout set for Sun Jun 17 15:29:02 2018
mount.nfs: trying text-based options 'hard,vers=4.2,addr=192.168.0.4,clientaddr=192.168.0.166'
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 192.168.0.4:/mnt/Pool1/homes

Each time I run the mount command, a line is added to /var/log/messages, like this one:

Jun 17 15:26:47 userserver-01 kernel: [  256.620770] audit: type=1400 audit(1529249207.168:19): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/home/" pid=2938 comm="mount.nfs" fstype="nfs" srcname="192.168.0.4:/mnt/Pool1/homes"

Obviously Proxmox uses AppArmor, and AppArmor denies the NFS mount operation (apparmor="DENIED"). It looks like AppArmor is using profile lxc-container-default-cgns (the log file shows profile="lxc-container-default-cgns"). I found that profile in /etc/apparmor.d/lxc/lxc-default-cgns.

I suppose I can edit /etc/apparmor.d/lxc/lxc-default-cgns an perform the changes necessary to allow NFS. However, this would allow NFS for all containers. Is it possible to allow NFS only for specific containers?

myrdd
  • 481

1 Answers1

4

Yes, it's possible. Simply create a new profile (based on lxc-container-default-cgns) and use it for the specific containers. So first run

cp -i /etc/apparmor.d/lxc/lxc-default-cgns /etc/apparmor.d/lxc/lxc-default-with-nfs

Then edit the new file /etc/apparmor.d/lxc/lxc-default-with-nfs:

  • replace profile lxc-container-default-cgns by profile lxc-container-default-with-nfs
  • put the NFS configuration (see below) just before the closing bracket (})

NFS configuration

Either write

  mount fstype=nfs*,
  mount fstype=rpc_pipefs,

or (being more explicit)

  mount fstype=nfs,
  mount fstype=nfs4,
  mount fstype=nfsd,
  mount fstype=rpc_pipefs,

and finally run systemctl reload apparmor.

Use the new profile

Edit /etc/pve/lxc/${container_id}.conf and append this line:

lxc.apparmor.profile: lxc-container-default-with-nfs

Then stop the container and start it again, e.g. like this:

pct stop ${container_id} && pct start ${container_id}

Now mounting NFS shares should work.

myrdd
  • 481
  • Thanks for the detailed question and answer. It helped me solve the same problem. Know why proxmox doesn't enable nfs/cifs by default or why there no GUI option for this? – Gavin Hill Nov 14 '20 at 17:59
  • Glad it helped @GavinHill .. They say ”NFS mounts are disabled for security reasons“. However, there's a new GUI option allowing NFS mounts. You need a privileged container, then enable the container option ”nfs“. – myrdd Nov 14 '20 at 23:38
  • @myrdd where is the nfs container option? i'm using 6.3-2 – Ryan Burnette Jan 22 '21 at 00:50
  • In 7.-10, under Options | Features. – JayCo741 Mar 29 '22 at 19:05
  • Does this NFS AppArmor profile require a privileged container? – Derek Mahar Dec 09 '23 at 18:07
  • 1
    @DerekMahar I'm sorry, I can't answer you that question as I'm not using this method anymore. Instead, I'm mounting the NFS share on the host (Proxmox VE) and pass it as a directory to the container. – myrdd Feb 14 '24 at 08:58
  • 1
    @myrdd I also mount NFS, SMB, or SSHFS shares on the Proxmox host and then mount these into each container. However, this introduces the problem of mapping host user and group IDs to those inside the container (see https://www.itsembedded.com/sysadmin/proxmox_bind_unprivileged_lxc/). I find that Incus (formerly LXD) solves this ID mapping problem better than does Proxmox (see https://linuxcontainers.org/incus/docs/main/faq/#can-i-bind-mount-my-home-directory-in-a-container). – Derek Mahar Feb 14 '24 at 15:46