Kerunix

2014-12-03

Mounting NFS from an LXC container

In order to permit an LXC to mount an NFS share I had to modify an Apparmor profile. Looking in /var/log/syslog we can see

apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/home/shared" pid=2774 comm="mount.nfs" fstype="nfs" srcname="nfs.lan:/mnt/shared/" flags="rw"

1 Edit the profile

In the end it was /etc/apparmor.d/lxc/lxc-default Looks like this now

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=rpc_pipefs,
  mount fstype=nfs nfs.lan:/mnt/shared/**,
}

Note the `nfs.lan:/mnt/shared/**` this will restrict the container to only mounting this folder and subfolders

2 Reload the profile

For some a reason I didn't investigate, I couldn't reload using a relative path and I had to reload two times

apparmor_parser -r /etc/apparmor.d/lxc-containers

Kerunix

Mounting NFS from an LXC container

1 Edit the profile

2 Reload the profile

Latest articles

Blog with Emacs and Pelican - even better !

Managing LXC hosts with ansible and a jump host

Questions or comments?Get in touch:

About

Contact