vigilian's picture

Hi,

So it is a specific known problem with the nfs of your template?

I don't know why but only your template is unusable, every other vm or templates is working fine using the nfsclient but apparently not yours. Is it an old version or smething like that? I am always been denied from the service. : mount.nfs: access denied by server

and still the access is good and there is not firewall or things like that. so very stange 

Is it a specific version of nfs which doesn't accept anonymous connection ?

Forum: 
vigilian's picture

Or maybe the nfs traffic have been denied and you authorized only the samba traffic?

Jeremy Davis's picture

IIRC though for security it only allows access from within the same subnet. Can you please proivide as much info as possible about your server and the network and explain how to reproduce the issue and I'll see what I can do.
vigilian's picture

sorry for the delay of answer. I will reinstall it with the new templates. Like that it would be maybe more accurate.

Jeremy Davis's picture

This suggests that you are using our LXC template (rather than a VM etc). NFS requires a kernel module and LXC containers do not have a kernel (they leverage the host kernel).

That can be worked around but requires that NFS is installed and enabled on the host then passed through to the LXC guest. Because of security concerns it is generally not recommended that you do that.

See info online:
https://forum.proxmox.com/threads/nfs-server-inside-lxc.25762/
https://forum.proxmox.com/threads/is-it-possible-to-run-a-nfs-server-wit...
https://lists.linuxcontainers.org/pipermail/lxc-users/2015-March/008655....
http://tquerci.blogspot.com.au/2014/03/nfs-on-lxc-container.html

A better workaround would be to install your fileserver in a "proper" VM rather than a container...

vigilian's picture

mmmh now I understand better so no NFS for security risk. Understood then :)

vigilian's picture

Hi,

after thinking aobut it, can you confirm that nfs is deactivate in the lxc template in proxmox even if the host has nfs activated? and that's why I have access denied?

 

then what's the difference with docker since it hasn't any kernel too and so it use the host kernel? because in the ports you have open the nfs port too, why is that if it is deactivated? I guess it's not deactivated then?

 

Jeremy Davis's picture

But it won't work unless it's enabled on the host. WRT Proxmox you need to configure the container (within Proxmox - not within the container) to pass it through.

TBH I'm not very experienced with Docker but AFAIK the situation is the same re it having to be enabled on the host kernel. I also think that you need to launch it with the --privileged switch (so again you have the same sort of security concerns as LXC).

Regarding the ports being declared, we use the same set of ports to set the IPtables config for all the different builds so it is inherited from there. In consideration, perhaps we should not enable it by default for docker. Although on the flipside if someone wants to use it then perhaps it better that it's ready to go? I'd be interested to hear your thoughts.

vigilian's picture

Well good point, since when I tried it was activated on my proxmox host(nfs backup for example), I don't know what I had to configure then but since it is a security concerns I will block it.

But I think then, that for the modificiation you should or we should do a dedicated page on the wiki then (since it seems to be a bit more complicated than just having the modules activated on the host) but to block it anyway by default. That seems to the more logical to me as a user.

Jeremy Davis's picture

Yes it would be good to document the process of enabling NFS for containers. And if we're going to do that then perhaps we should also leave it disabled by default in the containers and include how to enable it in the docs we create too. FWIW I didn't test it, but the links I posted above should help with "how to" for Proxmox/LXC. And I'm sure Google would have plenty of info for Docker.

Please feel free to make a start on that if you want. Our docs are a wiki and can be edited by any logged in user. I suggest that we start a "new child page" under the Tutorials / HOWTOs section.

Add new comment