Mail archive
alpine-user

Re: [alpine-user] NFS mount in LXC

From: Jean-Charles de Longueville <jch_at_hellea.eu>
Date: Mon, 06 Apr 2015 09:33:36 +0200

On 05/04/15 12:14, Natanael Copa wrote:
> On Sat, 04 Apr 2015 12:57:34 +0200
> Jean-Charles de Longueville <jch_at_hellea.eu> wrote:
>
>> Hi,
>>
>> I can mount a NFS share from an AL box.
>> But I cannot from an AL LXC on same box (same share) :(
>> Everything is running latest stable version.
>>
>> nfstest:~# mount -t nfs -o ro nfsserver:/srv/boot/alpine /mnt
>> mount.nfs: Operation not permitted
>> mount: permission denied (are you root?)
>
> dmesg should tell you that grsecurity tries to prevent you to do this.
>
> grsecurity does not permit the syscall mount from within a chroot since
> that is a way to break out of a chroot. This affects lxc containers too.
>
> I would recommend that you do the mouting from the lxc host in the
> container config with lxc.mount.entry or similar.
>
> https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR

this is not working with

lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0

backend:~# lxc-start -n nfstest
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for
'nfstest'
lxc-start: start.c: do_start: 688 failed to setup the container
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'

> If you still want disable mount protection in grsecurity then you
> can do that with:
> echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount

this is not working either

>> nfstest:~# tail /var/log/messages
>> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read
>> /var/lib/nfs/state: Address in use
>> Apr 4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM
>> state number: Operation not permitted
>> Apr 4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root.
>> chown /var/lib/nfs to choose different user
>>
>> This log is when starting rpc.statd not when trying to mount the share.
>>
>> nfstest:~# ls -l /var/lib/nfs
>> total 12
>> -rw-r--r-- 1 root root 0 Nov 10 15:43 etab
>> -rw-r--r-- 1 root root 0 Nov 10 15:43 rmtab
>> drwx------ 2 nobody root 4096 Apr 4 10:05 sm
>> drwx------ 2 nobody root 4096 Apr 4 10:05 sm.bak
>> -rw-r--r-- 1 root root 4 Apr 4 10:05 state
>> -rw-r--r-- 1 root root 0 Nov 10 15:43 xtab
>>
>> any clue?
>


-- 
Cordialement,
Jean-Charles de Longueville
---
Unsubscribe:  alpine-user+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-user+help_at_lists.alpinelinux.org
---
Received on Mon Apr 06 2015 - 09:33:36 GMT