2

This question is very similar to How to fix ”mount.nfs: access denied …“ when trying to mount a NFS share exported by a Proxmox 5 machine?.

On a Proxmox LXC container I'm trying to mount a NFS share located on a different physical machine on the network. In /etc/fstab I've got this line:

192.168.0.4:/mnt/Pool1/homes     /home     nfs     auto,rw,hard     0 0

Running mount /home fails with the following output:

mount.nfs: access denied by server while mounting 192.168.0.4:/mnt/Pool1/homes

Output of mount -v /home:

mount.nfs: timeout set for Sun Jun 17 15:29:02 2018
mount.nfs: trying text-based options 'hard,vers=4.2,addr=192.168.0.4,clientaddr=192.168.0.166'
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 192.168.0.4:/mnt/Pool1/homes

Each time I run the mount command, a line is added to /var/log/messages, like this one:

Jun 17 15:26:47 userserver-01 kernel: [  256.620770] audit: type=1400 audit(1529249207.168:19): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/home/" pid=2938 comm="mount.nfs" fstype="nfs" srcname="192.168.0.4:/mnt/Pool1/homes"

Obviously Proxmox uses AppArmor, and AppArmor denies the NFS mount operation (apparmor="DENIED"). It looks like AppArmor is using profile lxc-container-default-cgns (the log file shows profile="lxc-container-default-cgns"). I found that profile in /etc/apparmor.d/lxc/lxc-default-cgns.

I suppose I can edit /etc/apparmor.d/lxc/lxc-default-cgns an perform the changes necessary to allow NFS. However, this would allow NFS for all containers. Is it possible to allow NFS only for specific containers?

myrdd
  • 419
  • 2
  • 4
  • 15

1 Answers1

4

Yes, it's possible. Simply create a new profile (based on lxc-container-default-cgns) and use it for the specific containers. So first run

cp -i /etc/apparmor.d/lxc/lxc-default-cgns /etc/apparmor.d/lxc/lxc-default-with-nfs

Then edit the new file /etc/apparmor.d/lxc/lxc-default-with-nfs:

  • replace profile lxc-container-default-cgns by profile lxc-container-default-with-nfs
  • put the NFS configuration (see below) just before the closing bracket (})

NFS configuration

Either write

  mount fstype=nfs*,
  mount fstype=rpc_pipefs,

or (being more explicit)

  mount fstype=nfs,
  mount fstype=nfs4,
  mount fstype=nfsd,
  mount fstype=rpc_pipefs,

and finally run systemctl reload apparmor.

Use the new profile

Edit /etc/pve/lxc/${container_id}.conf and append this line:

lxc.apparmor.profile: lxc-container-default-with-nfs

Then stop the container and start it again, e.g. like this:

pct stop ${container_id} && pct start ${container_id}

Now mounting NFS shares should work.

myrdd
  • 419
  • 2
  • 4
  • 15
  • Thanks for the detailed question and answer. It helped me solve the same problem. Know why proxmox doesn't enable nfs/cifs by default or why there no GUI option for this? – Gavin Hill Nov 14 '20 at 17:59
  • Glad it helped @GavinHill .. [They say](https://forum.proxmox.com/threads/nfs-file-system-mount-problem-apparmor.31706/) *”NFS mounts are disabled for security reasons“*. However, there's a new GUI option allowing NFS mounts. You need a *privileged* container, then enable the container option ”nfs“. – myrdd Nov 14 '20 at 23:38
  • @myrdd where is the nfs container option? i'm using 6.3-2 – Ryan Burnette Jan 22 '21 at 00:50
  • In 7.-10, under Options | Features. – JayCo741 Mar 29 '22 at 19:05