A quick read on this? KerunixI can understand NFS on CT running into the Apparmor issue, but why do I have it on a regular VM ?
Also if you are confident about the security you can choose to turn that off.
A quick read on this? KerunixI can understand NFS on CT running into the Apparmor issue, but why do I have it on a regular VM ?
Thank you for that link, I've come across some of such posts too. I finally tried it, but that didn't help either. All my clients for NFS are on my internal network, so, I have apparmor disabled on a couple of my containers. That said, I prefer to not do it as a fan of doing security right.A quick read on this? Kerunix
Also if you are confident about the security you can choose to turn that off.
And this on my CT conf on /etc/pve/lxc/<ctid>.conf# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-with-nfsd flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
mount fstype=nfsd,
mount fstype=rpc_pipefs,
mount fstype=cgroup -> /sys/fs/cgroup/**,
}
Restarted NFS, and CT/VM, still get a connection failed from the client to either the CT/VM NFS server....
###### NFS OPTIONS ######
## Enable NFS
lxc.aa_profile = unconfined
lxc.aa_profile = lxc-container-default-with-nfsd
###### END NFS OPTIONS ######
Yes, I tried that too, disabled apparmor completely, that didn't help, for both CT/VM. I also set up nfs server on proxmox host directly, I still have the same access denied issue. Not sure if it's the server or the client that's causing the problems, nothing shows up in syslog when the connection is made and access is denied.You can try narrowing down the problem by disabling the apparmor and see if it makes the difference.
Control variables helps
Reload the profiles withmount options=(rw, bind, ro, rslave),
mount fstype=nfsd,
mount fstype=rpc_pipefs,
That solved all of my mounting problems I've had so far with NFS.apparmor_parser -rv /etc/apparmor.d/lxc-containers
I did create a brand new KVM, still ran into the same issue. Setting up the NFS server was easy. Mounting the exports from clients gave me access denied.I'd do as msg7086 said, create the same or similar setup in a kvm instance and see if you can replicate the issue.
Just to be 100% clear... What IP address are you intending on serving NFS off proxmox from? What IP address is your CT/KVM client IP to receive it from? What's the IP for the CT/KVM of OC/NC? Your CT/KVM should have two network devices.