Fix on connecting to NFS server from Proxmox Centos 7/Debian Container

I hope you already know how to allow NFS from proxmox host server. if not, you may read my earlier post:

NFS fix on LXC Host Server

The fix works for Proxmox 4.x

I was actually receiving a error like below:

# mount -t nfsd nfsd /proc/fs/nfsd
mount: nfsd is write-protected, mounting read-only
mount: cannot mount nfsd read-only

My proxmox edition was 5.0-30 and my CentOS was 7.

However, this is a bit different rather looking the other one as mentioned above. I was experiencing connecting my Centos 7 LXC container to a NFS server in the network. The regular tweak didn’t work. So, had to spend a while googling the solution. Found the correct one on a forum thread. But eventually it worked. For this you need to edit the file

nano /etc/pve/lxc/<your container ID>.conf

Add the below line in the conf file:

lxc.aa_profile: unconfined

Reboot the container. And now try to connect the NFS server. It should work.

For Proxmox 5 a little re-worked edition:

First run

cp /etc/apparmor.d/lxc/lxc-default-cgns /etc/apparmor.d/lxc/lxc-default-with-nfs

Then edit the new file /etc/apparmor.d/lxc/lxc-default-with-nfs:
replace profile lxc-container-default-cgns by profile lxc-default-with-nfs put the NFS configuration (see below) just before the closing bracket (})

NFS configuration

mount fstype=nfs*,
mount fstype=rpc_pipefs,

or (being more explicit)

mount fstype=nfs,
mount fstype=nfs4,
mount fstype=nfsd,
mount fstype=rpc_pipefs,

and finally run

service apparmor reload

Use the new profile (Earlier to PVE 6.x)
Edit /etc/pve/lxc/${container_id}.conf and append this line:

lxc.apparmor.profile: lxc-container-default-with-nfs

Use the new profile (Earlier to PVE 6.x)
Edit /etc/pve/lxc/${container_id}.conf and append this line:

lxc.apparmor.profile: lxc-default-with-nfs

Then stop the container and start it again, e.g. like this:

pct stop ${container_id} && pct start ${container_id}

Now mounting NFS shares should work.

Share

NFS fix on LXC Host Server

NFS client on LXC seems do not work. Why? The problem is apparmor on the real machine that block any appempt to mount NFS volumes.
In order to try to minimize the security changes on apparmor I add the following lines in/etc/apparmor.d/lxc/lxc-default

# allow nfs mount everywhere

mount fstype=rpc_pipefs, 
mount fstype=nfs,

Then

$ /etc/init.d/apparmor reload

And now I was able to restart nfs-common and nfs-kernel-server without errors !

Update!!!!!

nano /etc/apparmor.d/lxc/lxc-default

Update the file as below-

# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>

# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
# deny mount fstype=devpts,

# allow nfs mount everywhere

mount fstype=rpc_pipefs,
mount fstype=nfs,
}

sasasa

Now read the other article on how to connect to NFS server from LXC container

Share