NFS directly inside container?

pulsarr · January 4, 2021, 12:27pm

Hello,

I’ve read a lot about the subject, but I haven’t found any solutions that suit me.

Currently, if I want to mount NFS in an LXC container, I have to mount it on the host and then add a disk to the container with the path where it is mounted on the host. This solution is not very clean.

So I would like a solution to mount NFS directly in the Container. Is it possible to have some kind of tutorial to do this?

Thanks for your read and help.

Container :

root@nfsclient:~# cat /etc/debian_version 
10.7
root@nfsclient:~# mount 192.168.1.1:/mnt/nfsclient /mnt/nfs/
mount.nfs: Protocol not supported
root@nfsclient:~# dpkg -l | grep nfs
ii  libnfsidmap2:arm64                                          0.25-5.1                    arm64        NFS idmapping library
ii  nfs-common                                                  1:1.3.4-2.5+deb10u1         arm64        NFS support files common to client and server

Host :

pulsar@nyx:~$ cat /etc/debian_version 
10.7
pulsar@nyx:~$ snap list
Name    Version   Rev    Tracking       Publisher   Notes
core18  20201210  1949   latest/stable  canonical✓  base
lxd     4.9       18775  latest/stable  canonical✓  -
snapd   2.48.1    10494  latest/stable  canonical✓  snapd

stgraber · January 4, 2021, 4:50pm

It’s not possible without hacks. NFS isn’t allowed for unprivileged users, so you either need a privileged container and apparmor tweaks or you need an unprivileged container with syscall interception to run that one action as real root.

In either case, you end up with your container running stuff as real root in the kernel which can be rather unsafe. The bind-mount approach is safest as the container can only consume the mounted thing, not initiate mounts itself.

I suspect that in a few years someone will have finally taken the time to go through the pletora of NFS features and will have decided which are safe for unprivileged use and which aren’t and will have updated the kernel driver to allow for unpriv use, but this isn’t the case currently so you’re just left with workarounds.

pulsarr · January 11, 2021, 10:14am

Okay, I understand, so on a cluster I have to mount the NFS shares on each node of the cluster, are we okay?

tomp · January 11, 2021, 10:23am

Yes that is correct, then you can share them into your containers via the disk device, see:

https://linuxcontainers.org/lxd/docs/master/instances#type-disk