You are here
Sergey Romanov - Mon, 2023/06/26 - 14:37
I wanted to create NFS share. I did that successfully during my tests on privileged container. now I try to setup more secure environment. When I create NFS share in webmin i get
rpc.nfsd: no process found Stopping nfs-kernel-server (via systemctl): nfs-kernel-server.service. Starting nfs-kernel-server (via systemctl): nfs-kernel-server.serviceA dependency job for nfs-server.service failed. See 'journalctl -xe' for details. failed!
I stared investigation and I see that dependency proc service not running and I cannot start it.
root@nas ~# mount | grep nfsd root@nas ~# mount -v -t nfsd nfsd /proc/fs/nfsd mount: /proc/fs/nfsd: permission denied. root@nas ~# ls -la /proc/fs total 0 dr-xr-xr-x 7 nobody nogroup 0 Jun 26 01:12 . dr-xr-xr-x 539 nobody nogroup 0 Jun 26 01:12 .. dr-xr-xr-x 9 nobody nogroup 0 Jun 26 11:05 ext4 dr-xr-xr-x 9 nobody nogroup 0 Jun 26 11:05 jbd2 dr-xr-xr-x 3 nobody nogroup 0 Jun 26 01:12 lockd dr-xr-xr-x 3 nobody nogroup 0 Jun 26 11:05 nfs dr-xr-xr-x 2 nobody nogroup 0 Jun 26 01:12 nfsd
When I try to change permissions or ownership of those directories, I get operation is not permitted.
Forum:
If you are concerned about security, probably best to run a VM
If you want NFS shares and are concerned about security, it's probably best to run a "proper" VM (rather than within a container).
If you are only sharing with trusted hosts and security isn't such an issue, then AFAIK you should be able to get it to work in a privileged container and/or with nesting enabled.
Running as a privileged container will likely be relatively secure (it's not as bad as Docker's "privileged" containers), but will have knock on effects that may cause issues with some services (some of the systemd hardening measures don't work in a privileged container - so some services will need modification to run).
Please be extra aware, that enabling nesting on a privileged container does mean that the root user within the container can potentially escape (and gain some degree of control over the host root account). Hence why I suggest using a "proper" VM if you plan to expose the NFS shares to untrusted end users. Note that whilst enabling nesting on unprivileged containers does still have implications to the degree of isolation, enabling nesting on an unprivileged container doesn't have the same risk (because unlike in a privileged container, the root user within the unprivileged container maps to an unprivileged user on the host).
If you'd like to persevere, here are a couple of promising looking results from google:
Add new comment