FOG in LXC Container - How to configure NFS Server



  • I am currently working on converting my FOG server from OpenVZ to LXC. I am no expert, but here is what I did to get the NFS Server running inside the container.

    I run Proxmox 4.x but this should work for LXC in general. These instructions are from a post on the Proxmox Forum (https://forum.proxmox.com/threads/advice-for-file-sharing-between-containers.25704/#post-129006) and tweaked just a little.

    LXC OS: Ubuntu 16.04
    FOG Version: 1.3.0 (pulled from git)

    By default LXC has Apparmor enabled. There are two choices here, disable Apparmor or create a profile to allow NFS. I do not recommend disabling Apparmor, but it can be helpful for testing purposes.

    Option 1 - Disable Apparmor:

    • Edit the container configuration file and add the line lxc.aa_profile: unconfined.
      On Proxmox the configuration file is located at /etc/pve/lxc/CTID.conf, where CTID is the ID number of the container.

    Option 2 - Create an Apparmor profile that allows NFS:

    • Create the file /etc/apparmor.d/lxc/lxc-default-with-nfs with the following content.
    # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
    # will source all profiles under /etc/apparmor.d/lxc
    
    profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {  #include <abstractions/lxc/container-base>
    
    # allow NFS (nfs/nfs4) mounts.
      mount fstype=nfs*,
      mount fstype=rpc_pipefs,
    }
    
    • Reload Apparmor: apparmor_parser -r /etc/apparmor.d/lxc-containers
    • Edit the container configuration file and add the line lxc.aa_profile: lxc-container-default-with-nfs.
      On Proxmox the configuration file is located at /etc/pve/lxc/CTID.conf, where CTID is the ID number of the container.

    Make sure to restart your container after you make any changes to the configuration file.

    Hope this helps!


  • Moderator

    @jburleson Thank you for remembering this thread and coming back to help the community with your findings, it really does mean the world for open source projects - the devs and mods can’t do it all because it’s not our full time jobs. Little contributions like this are what keeps the project going and lively. Thank you.



  • Update
    For Option 2, you do not need to create a new profile. Instead you can modify the file /etc/apparmor.d/lxc/lxc-default-cgns. Here is the content of the file after I added the nfs mount options.

    # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
    # will source all profiles under /etc/apparmor.d/lxc
    
    profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
      #include <abstractions/lxc/container-base>
    
      # the container may never be allowed to mount devpts.  If it does, it
      # will remount the host's devpts.  We could allow it to do it with
      # the newinstance option (but, right now, we don't).
      deny mount fstype=devpts,
      mount fstype=cgroup -> /sys/fs/cgroup/**,
      mount fstype=nfs*,
      mount fstype=rpc_pipefs,
    }
    

    You will not need to edit your container configuration file using this method.

    If you are not using Proxmox and your host kernel is NOT cgroup namespace aware, you will need to edit the file /etc/apparmor.d/lxc/lxc-default instead.


Log in to reply
 

508
Online

39.4k
Users

11.1k
Topics

105.5k
Posts

Looks like your connection to FOG Project was lost, please wait while we try to reconnect.