FOG in LXC Container - How to configure NFS Server



  • I am currently working on converting my FOG server from OpenVZ to LXC. I am no expert, but here is what I did to get the NFS Server running inside the container.

    I run Proxmox 4.x but this should work for LXC in general. These instructions are from a post on the Proxmox Forum (https://forum.proxmox.com/threads/advice-for-file-sharing-between-containers.25704/#post-129006) and tweaked just a little.

    LXC OS: Ubuntu 16.04
    FOG Version: 1.3.0 (pulled from git)

    By default LXC has Apparmor enabled. There are two choices here, disable Apparmor or create a profile to allow NFS. I do not recommend disabling Apparmor, but it can be helpful for testing purposes.

    Option 1 - Disable Apparmor:

    • Edit the container configuration file and add the line lxc.aa_profile: unconfined.
      On Proxmox the configuration file is located at /etc/pve/lxc/CTID.conf, where CTID is the ID number of the container.

    Option 2 - Create an Apparmor profile that allows NFS:

    • Create the file /etc/apparmor.d/lxc/lxc-default-with-nfs with the following content.
    # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
    # will source all profiles under /etc/apparmor.d/lxc
    
    profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {  #include <abstractions/lxc/container-base>
    
    # allow NFS (nfs/nfs4) mounts.
      mount fstype=nfs*,
      mount fstype=rpc_pipefs,
    }
    
    • Reload Apparmor: apparmor_parser -r /etc/apparmor.d/lxc-containers
    • Edit the container configuration file and add the line lxc.aa_profile: lxc-container-default-with-nfs.
      On Proxmox the configuration file is located at /etc/pve/lxc/CTID.conf, where CTID is the ID number of the container.

    Make sure to restart your container after you make any changes to the configuration file.

    Hope this helps!



  • @Sebastian-Roth Thanks for seeing this. I have been meaning to update this post. I noticed the change when I upgrade from Proxmox 5.1 to 5.2. I have added a new post that hopefully will help.



  • Updated for Proxmox 5.x and LXC 3.x

    LXC OS: Ubuntu 18.04 (should be applicable to others as well)
    FOG Version: 1.5.4 (pulled from git)

    By default LXC has Apparmor enabled. There are three choices here, disable Apparmor, create a profile to allow NFS or modify the default profile used for all containers. I do not recommend disabling Apparmor, but it can be helpful for testing purposes.

    Starting with LXC 2.1, configuration keys have change: lxc.apparmor.profile should be used instead of lxc.aa_profile

    Option 1 - Disable Apparmor:

    • Edit the container configuration file and add the line lxc.apparmor.profile: unconfined.
      On Proxmox the configuration file is located at /etc/pve/lxc/CTID.conf, where CTID is the ID number of the container.

    Option 2 - Create an Apparmor profile that allows NFS:

    • Create the file /etc/apparmor.d/lxc/lxc-default-with-nfs with the following content.
    # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
    # will source all profiles under /etc/apparmor.d/lxc
    
    profile lxc-container-default-with-nfs flags=(attach_disconnected,mediate_deleted) {  #include <abstractions/lxc/container-base>
    
     deny mount fstype=devpts,
     mount fstype=nfs*,
     mount fstype=rpc_pipefs,
     mount fstype=cgroup -> /sys/fs/cgroup/**,
    }
    
    • If your host kernel is not namespace aware, remove the line mount fstype=cgroup -> /sys/fs/cgroup/**,.
    • Reload Apparmor: apparmor_parser -r /etc/apparmor.d/lxc-containers
    • Edit the container configuration file and add the line lxc.apparmor.profile: lxc-container-default-with-nfs.
      On Proxmox the configuration file is located at /etc/pve/lxc/CTID.conf, where CTID is the ID number of the container.

    Option 3 - Modify default Apparmor profile to allows NFS.

    You should only choose this options if the majority of your containers need access to NFS. If you only have a couple of containers that need access to NFS, you should use Option 2. In addition, if you do decide to modify the default profile, you should create an additional profile without NFS mounts to assign to the containers that do not need access to NFS (see Option 2 for instructions on creating a new profile.)

    The default profile for LXC is lxc-container-default-cgns if the host kernel is cgroup namespace aware, or lxc-container-default otherwise (from lxc.container.conf(5) man page).

    Starting with Proxmox 5.2, it seems that LXC is using lxc-container-default as the default Apparmor profile.

    • Modify the appropriate default profile.
      lxc-container-default-cgns => /etc/apparmor.d/lxc-default-cgns
      lxc-container-default => /etc/apparmor.d/lxc-default
    • Add these two lines to the end of the file right before the closing brace:
      mount fstype=nfs*,
      mount fstype=rpc_pipefs,
    • Reload Apparmor: apparmor_parser -r /etc/apparmor.d/lxc-containers

    Make sure to restart your container after you make any changes to the configuration file or to Apparmor.


  • Developer

    @jburleson I know this is an old one but as I have heard about the latest Proxmox update just some days ago broke NFS in LXC containers I tought I might mention this to you: https://forum.proxmox.com/threads/mounting-nfs-in-lxc-not-working-since-latest-update.47815/



  • @jburleson Thank you for remembering this thread and coming back to help the community with your findings, it really does mean the world for open source projects - the devs and mods can’t do it all because it’s not our full time jobs. Little contributions like this are what keeps the project going and lively. Thank you.



  • Update
    For Option 2, you do not need to create a new profile. Instead you can modify the file /etc/apparmor.d/lxc/lxc-default-cgns. Here is the content of the file after I added the nfs mount options.

    # Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
    # will source all profiles under /etc/apparmor.d/lxc
    
    profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
      #include <abstractions/lxc/container-base>
    
      # the container may never be allowed to mount devpts.  If it does, it
      # will remount the host's devpts.  We could allow it to do it with
      # the newinstance option (but, right now, we don't).
      deny mount fstype=devpts,
      mount fstype=cgroup -> /sys/fs/cgroup/**,
      mount fstype=nfs*,
      mount fstype=rpc_pipefs,
    }
    

    You will not need to edit your container configuration file using this method.

    If you are not using Proxmox and your host kernel is NOT cgroup namespace aware, you will need to edit the file /etc/apparmor.d/lxc/lxc-default instead.


 

483
Online

5.4k
Users

12.6k
Topics

118.7k
Posts