NFS fix on LXC Host Server

NFS client on LXC seems do not work. Why? The problem is apparmor on the real machine that block any appempt to mount NFS volumes.
In order to try to minimize the security changes on apparmor I add the following lines in/etc/apparmor.d/lxc/lxc-default

# allow nfs mount everywhere

mount fstype=rpc_pipefs, 
mount fstype=nfs,

Then

$ /etc/init.d/apparmor reload

And now I was able to restart nfs-common and nfs-kernel-server without errors !

Update!!!!!

nano /etc/apparmor.d/lxc/lxc-default

Update the file as below-

# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>

# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
# deny mount fstype=devpts,

# allow nfs mount everywhere

mount fstype=rpc_pipefs,
mount fstype=nfs,
}
Share

Allow NFS attachment on Proxmox OpenVZ containers

Prepare the container

To allow a container to use NFS filesystem, you will need to start it with “nfs” feature enabled. If the container is running while you set the –features nfs:on, you will need to reboot it.

# vzctl set 101 --features "nfs:on" --save
# vzctl start 101

After this you may see nfs in /proc/filesystems

# vzctl exec 101 cat /proc/filesystems
 ext3
 ext2
nodev rpc_pipefs
nodev proc
nodev nfs
nodev sysfs
nodev tmpfs
nodev devpts
Share

NFS Firewall

Dynamic ports cannot be protected by port filtering firewalls such as iptables. First, you need to configure NFS services to use fixed ports. Open /etc/sysconfig/nfs, enter:

# vi /etc/sysconfig/nfs

Modify config directive as follows to set TCP/UDP unused ports:

# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=lockd-port-number
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=lockd-port-number 
# Port rpc.mountd should listen on.
MOUNTD_PORT=mountd-port-number
# Port rquotad should listen on.
RQUOTAD_PORT=rquotad-port-number
# Port rpc.statd should listen on.
STATD_PORT=statd-port-number
# Outgoing port statd should used. The default is port is random
STATD_OUTGOING_PORT=statd-outgoing-port-number

Continue reading “NFS Firewall” »

Share

NFS Server and Client on CentOS

Assumptions:

NFS Server IP: 172.16.5.100
NFS Client Node1: 172.16.5.101
NFS Client Node2: 172.16.5.102
NFS Client Node3: 172.16.5.103
NFS Client Node4: 172.16.5.104

On the NFS Server & All Client machine as well:

yum install nfs-utils nfs-utils-lib

Edit the exports file that shows what to share and with whom. So run: Continue reading “NFS Server and Client on CentOS” »

Share

NFS Server and Client on Debian 6/7

Assumptions:

NFS Server IP: 172.16.5.100

NFS Client Node1: 172.16.5.101

NFS Client Node2: 172.16.5.102

NFS Client Node3: 172.16.5.103

NFS Client Node4: 172.16.5.104

On the NFS Server:

Install nfs-kernel-server Install nfs-kernel-server and nfs-common Install nfs-common on the computer that has the files to be shared.

apt-get update && sudo apt-get install nfs-kernel-server nfs-common

Edit the exports file that shows what to share and with whom. So run: Continue reading “NFS Server and Client on Debian 6/7” »

Share