issues with NFS share in AL LXC
-
- Offline
- 2 years 1 month ago
- 2015-01-10
>> Hi,
>>
>> I can mount a NFS share from an AL box.
>> But I cannot from an AL LXC on same box (same share)
>> Everything is running latest stable version.
>>
>> nfstest:~# mount -t nfs -o ro nfsserver:/srv/boot/alpine /mnt
>> mount.nfs: Operation not permitted
>> mount: permission denied (are you root?)
>
> dmesg should tell you that grsecurity tries to prevent you to do this.
>
> grsecurity does not permit the syscall mount from within a chroot since
> that is a way to break out of a chroot. This affects lxc containers too.
>
> I would recommend that you do the mouting from the lxc host in the
> container config with lxc.mount.entry or similar.
>
> https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR
this is not working with
lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0
backend:~# lxc-start -n nfstest
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for
'nfstest'
lxc-start: start.c: do_start: 688 failed to setup the container
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'
> If you still want disable mount protection in grsecurity then you
> can do that with:
> echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount
this is not working either
>> nfstest:~# tail /var/log/messages
>> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read
>> /var/lib/nfs/state: Address in use
>> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM
>> state number: Operation not permitted
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root.
>> chown /var/lib/nfs to choose different user
>>
>> This log is when starting rpc.statd not when trying to mount the share.
>>
>> nfstest:~# ls -l /var/lib/nfs
>> total 12
>> -rw-r--r-- 1 root root 0 Nov 10 15:43 etab
>> -rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab
>> drwx------ 2 nobody root 4096 Apr 4 10:05 sm
>> drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak
>> -rw-r--r-- 1 root root 4 Apr 4 10:05 state
>> -rw-r--r-- 1 root root 0 Nov 10 15:43 xtab
>>
>> any clue?
For all I read on this subjet, it seems not possible to mount a NFS share from inside a container :(
Most advices are stating to bind mount the share on the host system from outside the container prior of starting the container.
This is not what I want as this imply for the host to have knowledge about the guest usage and I wanted to be able to move (or duplicate) the container from host to host...
Well, In case someone looking for the answer : It's possible.
the answer on this post : https://forum.proxmox.com/threads/advice-for-file-sharing-between-containers.25704/#post-129006
Short story :
On the Hypervisor :
Create the following file as /etc/apparmor.d/lxc/lxc-default-with-nfs
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> # allow NFS (nfs/nfs4) mounts. mount fstype=nfs*, }Then reload the LXC profiles with:
Then use the following setting in the container's config: