~alpine/users

2 2

[alpine-user] NFS mount in LXC

Jean-Charles de Longueville <jch@hellea.eu>
Details
Message ID
<551FC39E.9030103@hellea.eu>
Sender timestamp
1428145054
DKIM signature
missing
Download raw message
10 years ago 
Hi,

I can mount a NFS share from an AL box.
But I cannot from an AL LXC on same box (same share) :(
Everything is running latest stable version.

nfstest:~# mount -t nfs -o ro nfsserver:/srv/boot/alpine /mnt
mount.nfs: Operation not permitted
mount: permission denied (are you root?)

nfstest:~# tail /var/log/messages
Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting
Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC
Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read
/var/lib/nfs/state: Address in use
Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state
Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM
state number: Operation not permitted
Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root.
chown /var/lib/nfs to choose different user

This log is when starting rpc.statd not when trying to mount the share.

nfstest:~# ls -l /var/lib/nfs
total 12
-rw-r--r--    1 root     root             0 Nov 10 15:43 etab
-rw-r--r--    1 root     root             0 Nov 10 15:43 rmtab
drwx------    2 nobody   root          4096 Apr  4 10:05 sm
drwx------    2 nobody   root          4096 Apr  4 10:05 sm.bak
-rw-r--r--    1 root     root             4 Apr  4 10:05 state
-rw-r--r--    1 root     root             0 Nov 10 15:43 xtab

any clue?
-- 
Cordialement,
Jean-Charles de Longueville


---
Unsubscribe:  alpine-user+unsubscribe@lists.alpinelinux.org
Help:         alpine-user+help@lists.alpinelinux.org
---
Natanael Copa <ncopa@alpinelinux.org>
Details
Message ID
<20150405121408.1b161feb@ncopa-laptop>
In-Reply-To
<551FC39E.9030103@hellea.eu> (view parent)
Sender timestamp
1428228848
DKIM signature
missing
Download raw message
10 years ago 
On Sat, 04 Apr 2015 12:57:34 +0200
Jean-Charles de Longueville <jch@hellea.eu> wrote:

> Hi,
> 
> I can mount a NFS share from an AL box.
> But I cannot from an AL LXC on same box (same share) :(
> Everything is running latest stable version.
> 
> nfstest:~# mount -t nfs -o ro nfsserver:/srv/boot/alpine /mnt
> mount.nfs: Operation not permitted
> mount: permission denied (are you root?)

dmesg should tell you that grsecurity tries to prevent you to do this.

grsecurity does not permit the syscall mount from within a chroot since
that is a way to break out of a chroot. This affects lxc containers too.

I would recommend that you do the mouting from the lxc host in the
container config with lxc.mount.entry or similar.

https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR

If you still want disable mount protection in grsecurity then you
can do that with:
echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount

> nfstest:~# tail /var/log/messages
> Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting
> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC
> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read
> /var/lib/nfs/state: Address in use
> Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state
> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM
> state number: Operation not permitted
> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root.
> chown /var/lib/nfs to choose different user
> 
> This log is when starting rpc.statd not when trying to mount the share.
> 
> nfstest:~# ls -l /var/lib/nfs
> total 12
> -rw-r--r--    1 root     root             0 Nov 10 15:43 etab
> -rw-r--r--    1 root     root             0 Nov 10 15:43 rmtab
> drwx------    2 nobody   root          4096 Apr  4 10:05 sm
> drwx------    2 nobody   root          4096 Apr  4 10:05 sm.bak
> -rw-r--r--    1 root     root             4 Apr  4 10:05 state
> -rw-r--r--    1 root     root             0 Nov 10 15:43 xtab
> 
> any clue?



---
Unsubscribe:  alpine-user+unsubscribe@lists.alpinelinux.org
Help:         alpine-user+help@lists.alpinelinux.org
---
Jean-Charles de Longueville <jch@hellea.eu>
Details
Message ID
<552236D0.8030309@hellea.eu>
In-Reply-To
<20150405121408.1b161feb@ncopa-laptop> (view parent)
Sender timestamp
1428305616
DKIM signature
missing
Download raw message
10 years ago 
On 05/04/15 12:14, Natanael Copa wrote:
> On Sat, 04 Apr 2015 12:57:34 +0200
> Jean-Charles de Longueville <jch@hellea.eu> wrote:
> 
>> Hi,
>>
>> I can mount a NFS share from an AL box.
>> But I cannot from an AL LXC on same box (same share) :(
>> Everything is running latest stable version.
>>
>> nfstest:~# mount -t nfs -o ro nfsserver:/srv/boot/alpine /mnt
>> mount.nfs: Operation not permitted
>> mount: permission denied (are you root?)
> 
> dmesg should tell you that grsecurity tries to prevent you to do this.
> 
> grsecurity does not permit the syscall mount from within a chroot since
> that is a way to break out of a chroot. This affects lxc containers too.
> 
> I would recommend that you do the mouting from the lxc host in the
> container config with lxc.mount.entry or similar.
> 
> https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html#lbAR

this is not working with

lxc.mount.entry=nfsserver:/srv/boot/alpine mnt nfs nosuid,intr 0 0

backend:~# lxc-start -n nfstest
lxc-start: conf.c: mount_entry: 2049 Invalid argument - failed to mount
'nfsserver:/srv/boot/alpine' on '/usr/lib/lxc/rootfs/mnt'
lxc-start: conf.c: lxc_setup: 4163 failed to setup the mount entries for
'nfstest'
lxc-start: start.c: do_start: 688 failed to setup the container
lxc-start: sync.c: __sync_wait: 51 invalid sequence number 1. expected 2
lxc-start: start.c: __lxc_start: 1080 failed to spawn 'nfstest'

> If you still want disable mount protection in grsecurity then you
> can do that with:
> echo 0 > /proc/sys/kernel/grsecurity/chroot_deny_mount

this is not working either

>> nfstest:~# tail /var/log/messages
>> Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Version 1.3.1 starting
>> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Flags: TI-RPC
>> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to read
>> /var/lib/nfs/state: Address in use
>> Apr  4 10:05:59 nfstest daemon.notice rpc.statd[431]: Initializing NSM state
>> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Failed to write NSM
>> state number: Operation not permitted
>> Apr  4 10:05:59 nfstest daemon.warn rpc.statd[431]: Running as root.
>> chown /var/lib/nfs to choose different user
>>
>> This log is when starting rpc.statd not when trying to mount the share.
>>
>> nfstest:~# ls -l /var/lib/nfs
>> total 12
>> -rw-r--r--    1 root     root             0 Nov 10 15:43 etab
>> -rw-r--r--    1 root     root             0 Nov 10 15:43 rmtab
>> drwx------    2 nobody   root          4096 Apr  4 10:05 sm
>> drwx------    2 nobody   root          4096 Apr  4 10:05 sm.bak
>> -rw-r--r--    1 root     root             4 Apr  4 10:05 state
>> -rw-r--r--    1 root     root             0 Nov 10 15:43 xtab
>>
>> any clue?
> 


-- 
Cordialement,
Jean-Charles de Longueville


---
Unsubscribe:  alpine-user+unsubscribe@lists.alpinelinux.org
Help:         alpine-user+help@lists.alpinelinux.org
---
Reply to thread Export thread (mbox)