NFS Ganesha in LXC


(Shantur Rathore) #1

Hi,

I am trying to setup a nfs-ganesha server in LXC container. It seems to be failing for me to run and nfs-ganesha complains

vfs_open_by_handle :FSAL :DEBUG :Failed with Function not implemented openflags 0x00200003

This translates to missing open_by_handle_at function.

I read somethings about lxd and open_by_handle_at method related to security, I made the container priviledged

    ➜  ~ lxc config show template-nfs-server
    architecture: x86_64
    config:
      image.architecture: amd64
      image.description: ubuntu 18.04 LTS amd64 (release) (20180724)
      image.label: release
      image.os: ubuntu
      image.release: bionic
      image.serial: "20180724"
      image.version: "18.04"
      raw.apparmor: |-
        mount fstype=rpc_pipefs,
        mount fstype=nfsd,
      security.privileged: "true"
      volatile.base_image: 38219778c2cf02521f34f950580ce3af0e4b61fbaf2b4411a7a6c4f0736071f9
      volatile.eth0.hwaddr: 00:16:3e:f5:d6:ea
      volatile.eth0.name: eth0
      volatile.idmap.base: "0"
      volatile.idmap.next: '[]'
      volatile.last_state.idmap: '[]'
      volatile.last_state.power: RUNNING
    devices:
      Vsphere-Templates:
        path: /mnt/templates
        pool: lxd-ceph
        source: Vsphere-Templates
        type: disk
    ephemeral: false
    profiles:
    - infrastructure
    stateful: false
    description: ""

still the error persists. Is there something i need to do?

Thanks


(Stéphane Graber) #2

open_by_handle_at is directly banned by the default Seccomp policy as it provides for a very easy escape of confinement.

You should be able to override that with lxc config set template-nfs-server raw.lxc lxc.seccomp= but note that a privileged container with that disabled effectively means that root in the container can somewhat trivially escape to the host.

This syscall being allowed in containers was the reason behind the shocker exploit a few years back.


(Shantur Rathore) #3

Thanks @stgraber.
That did the trick but as I am using latest snap 3.3 the command needed was

lxc config set template-nfs-server raw.lxc lxc.seccomp.profile=

I really appreciate you taking time and answering all question on the forum.
I will be asking loads.


(Stéphane Graber) #4

Oh oops, forgot we renamed that one too with 3.0 :slight_smile: