issues with NFS share in AL LXC

3 posts / 0 new
Last post
#1 Fri, 2015-04-10 16:30
jch
  • jch's picture
  • Offline
  • Last seen: 1 year 6 months ago
  • Joined: 2015-01-10

>> Hi,
>>
>> I can mount a NFS share from an AL box.
>> But I cannot from an AL LXC on same box (same share)
>> Everything is running latest stable version.
>>
>> nfstest:~# mount -t nfs -o ro nfsserver:/srv/boot/alpine /mnt
>> mount.nfs: Operation not permitted
>> mount: permission denied (are you root?)
>
> dmesg should tell you that grsecurity tries to prevent you to do this.
>
> grsecurity does not permit the syscall mount from within a chroot since
> that is a way to break out of a chroot. This affects lxc containers too.
>
> I would recommend that you do the mouting from the lxc host in the
> container config with lxc.mount.entry or similar.
>
> https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR

this is not working with

lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0

backend:~# lxc-start -n nfstest
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for
'nfstest'
lxc-start: start.c: do_start: 688 failed to setup the container
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'

> If you still want disable mount protection in grsecurity then you
> can do that with:
> echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount

this is not working either

>> nfstest:~# tail /var/log/messages
>> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read
>> /var/lib/nfs/state: Address in use
>> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM
>> state number: Operation not permitted
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root.
>> chown /var/lib/nfs to choose different user
>>
>> This log is when starting rpc.statd not when trying to mount the share.
>>
>> nfstest:~# ls -l /var/lib/nfs
>> total 12
>> -rw-r--r-- 1 root root 0 Nov 10 15:43 etab
>> -rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab
>> drwx------ 2 nobody root 4096 Apr 4 10:05 sm
>> drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak
>> -rw-r--r-- 1 root root 4 Apr 4 10:05 state
>> -rw-r--r-- 1 root root 0 Nov 10 15:43 xtab
>>
>> any clue?

Mon, 2015-05-11 09:29
jch
  • jch's picture
  • Offline
  • Last seen: 1 year 6 months ago
  • Joined: 2015-01-10

For all I read on this subjet, it seems not possible to mount a NFS share from inside a container :(

Most advices are stating to bind mount the share on the host system from outside the container prior of starting the container.
This is not what I want as this imply for the host to have knowledge about the guest usage and I wanted to be able to move (or duplicate) the container from host to host...

Mon, 2017-08-07 20:00
Xhelliom
  • Xhelliom's picture
  • Offline
  • Last seen: 1 week 2 days ago
  • Joined: 2017-08-07

Well, In case someone looking for the answer : It's possible.

the answer on this post : https://forum.proxmox.com/threads/advice-for-file-sharing-between-containers.25704/#post-129006

Short story :
On the Hypervisor :
Create the following file as /etc/apparmor.d/lxc/lxc-default-with-nfs

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
 
profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
 
# allow NFS (nfs/nfs4) mounts.
  mount fstype=nfs*,
}

Then reload the LXC profiles with:
# apparmor_parser -r /etc/apparmor.d/lxc-containers

Then use the following setting in the container's config:
lxc.aa_profile: lxc-container-default-with-nfs

Log in or register to post comments