X-Original-To: alpine-user@lists.alpinelinux.org
Delivered-To: alpine-user@mail.alpinelinux.org
Received: from ncopa-laptop (unknown [79.160.13.130])
	(using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: n@tanael.org)
	by mail.alpinelinux.org (Postfix) with ESMTPSA id 09150DC00B0;
	Sun,  5 Apr 2015 10:14:12 +0000 (UTC)
Date: Sun, 5 Apr 2015 12:14:08 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: Jean-Charles de Longueville <jch@hellea.eu>
Cc: "alpine-user@lists.alpinelinux.org" <alpine-user@lists.alpinelinux.org>
Subject: Re: [alpine-user] NFS mount in LXC
Message-ID: <20150405121408.1b161feb@ncopa-laptop>
In-Reply-To: <551FC39E.9030103@hellea.eu>
References: <551FC39E.9030103@hellea.eu>
X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; x86_64-alpine-linux-musl)
X-Mailinglist: alpine-user
Precedence: list
List-Id: Alpine Development <alpine-user.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-user+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-user@lists.alpinelinux.org>
List-Help: <mailto:alpine-user+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-user+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Sat, 04 Apr 2015 12:57:34 +0200
Jean-Charles de Longueville <jch@hellea.eu> wrote:

> Hi,
> 
> I can mount a NFS share from an AL box.
> But I cannot from an AL LXC on same box (same share) :(
> Everything is running latest stable version.
> 
> nfstest:~# mount -t nfs -o ro nfsserver:/srv/boot/alpine /mnt
> mount.nfs: Operation not permitted
> mount: permission denied (are you root?)

dmesg should tell you that grsecurity tries to prevent you to do this.

grsecurity does not permit the syscall mount from within a chroot since
that is a way to break out of a chroot. This affects lxc containers too.

I would recommend that you do the mouting from the lxc host in the
container config with lxc.mount.entry or similar.

https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR

If you still want disable mount protection in grsecurity then you
can do that with:
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount

> nfstest:~# tail /var/log/messages
> Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting
> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC
> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read
> /var/lib/nfs/state: Address in use
> Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state
> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM
> state number: Operation not permitted
> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root.
> chown /var/lib/nfs to choose different user
> 
> This log is when starting rpc.statd not when trying to mount the share.
> 
> nfstest:~# ls -l /var/lib/nfs
> total 12
> -rw-r--r--    1 root     root             0 Nov 10 15:43 etab
> -rw-r--r--    1 root     root             0 Nov 10 15:43 rmtab
> drwx------    2 nobody   root          4096 Apr  4 10:05 sm
> drwx------    2 nobody   root          4096 Apr  4 10:05 sm.bak
> -rw-r--r--    1 root     root             4 Apr  4 10:05 state
> -rw-r--r--    1 root     root             0 Nov 10 15:43 xtab
> 
> any clue?



---
Unsubscribe:  alpine-user+unsubscribe@lists.alpinelinux.org
Help:         alpine-user+help@lists.alpinelinux.org
---