Mail archive
alpine-user

Re: [alpine-user] NFS mount in LXC

From: Natanael Copa <ncopa_at_alpinelinux.org>
Date: Sun, 5 Apr 2015 12:14:08 +0200

On Sat, 04 Apr 2015 12:57:34 +0200
Jean-Charles de Longueville <jch_at_hellea.eu> wrote:

> Hi,
>
> I can mount a NFS share from an AL box.
> But I cannot from an AL LXC on same box (same share) :(
> Everything is running latest stable version.
>
> nfstest:~# mount -t nfs -o ro nfsserver:/srv/boot/alpine /mnt
> mount.nfs: Operation not permitted
> mount: permission denied (are you root?)

dmesg should tell you that grsecurity tries to prevent you to do this.

grsecurity does not permit the syscall mount from within a chroot since
that is a way to break out of a chroot. This affects lxc containers too.

I would recommend that you do the mouting from the lxc host in the
container config with lxc.mount.entry or similar.

https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR

If you still want disable mount protection in grsecurity then you
can do that with:
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount

> nfstest:~# tail /var/log/messages
> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting
> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC
> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read
> /var/lib/nfs/state: Address in use
> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state
> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM
> state number: Operation not permitted
> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root.
> chown /var/lib/nfs to choose different user
>
> This log is when starting rpc.statd not when trying to mount the share.
>
> nfstest:~# ls -l /var/lib/nfs
> total 12
> -rw-r--r-- 1 root root 0 Nov 10 15:43 etab
> -rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab
> drwx------ 2 nobody root 4096 Apr 4 10:05 sm
> drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak
> -rw-r--r-- 1 root root 4 Apr 4 10:05 state
> -rw-r--r-- 1 root root 0 Nov 10 15:43 xtab
>
> any clue?



---
Unsubscribe:  alpine-user+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-user+help_at_lists.alpinelinux.org
---
Received on Sun Apr 05 2015 - 12:14:08 GMT