How to fix ”mount.nfs: access denied …“ when trying to mount a NFS share exported by a Proxmox 5 machine

nfsproxmox

I'm trying to mount an NFS share from a Proxmox 5 host and having issues. I have the following two machines:

192.168.1.3    proxmox debian box (nfs-host)
192.168.1.31   ubuntu 16.04 (nfs-client)

Permissions of /mnt/storage (NFS client):

drwxrwxrwx 11 nobody nogroup 4096 Oct  7 10:28 storage

Content of /etc/exports (NFS host):

/mnt/storage 192.168.1.31(rw,sync,no_subtree_check)

Output of showmount -e 192.168.1.3 (NFS client):

Export list for 192.168.1.3:
/mnt/storage 192.168.1.31

Trying to mount from the client fails:

me@client:/mnt/storage$ sudo mount 192.168.1.3:/mnt/storage /mnt/storage
mount.nfs: access denied by server while mounting 192.168.1.3:/mnt/storage

I ran exportfs -ra and restarted the nfs kernel server but still no joy. I also tried all the suggestions in the question mount.nfs: access denied by server while mounting on Ubuntu machines?, but nothing has worked for me. There were only one or two answers at the bottom that had to do with docker and another one that had typo'd IPs, both didn't pertain to me.

I can ping both hosts and both hosts can access the internet and see each other so I don't think it's a network issue.

Now I am seeing these errors inside /var/log/messages on the host:

Oct  7 10:06:36 pve kernel: [44667.325940] audit: type=1400 audit(1507385196.790:23): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/mnt/storage/" pid=15053 comm="mount.nfs4" fstype="nfs4" srcname="192.168.1.3:/export/storage"
Oct  7 10:07:05 pve kernel: [44696.096558] audit: type=1400 audit(1507385225.559:24): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/mnt/storage/" pid=15112 comm="mount.nfs" fstype="nfs" srcname="192.168.1.3:/export/storage"

As requested, here are the contents of all files inside /etc/apparmor.d/lxc/ containing the word mount:

root@host:/etc/apparmor.d/lxc# ll
total 24
drwxr-xr-x 2 root root 4096 Oct  6 13:24 .
drwxr-xr-x 9 root root 4096 Oct  6 13:24 ..
-rw-r--r-- 1 root root  479 Jun 30 05:01 lxc-default
-rw-r--r-- 1 root root  528 Jun 30 05:01 lxc-default-cgns
-rw-r--r-- 1 root root  544 Jun 30 05:01 lxc-default-with-mounting
-rw-r--r-- 1 root root  527 Jun 30 05:01 lxc-default-with-nesting

root@host:/etc/apparmor.d/lxc# cat lxc-default
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
}



root@host:/etc/apparmor.d/lxc# cat lxc-default-cgns
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}



root@host:/etc/apparmor.d/lxc# cat lxc-default-with-mounting
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data.  However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=btrfs,
}



root@host:/etc/apparmor.d/lxc# cat lxc-default-with-nesting
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>

  deny /dev/.lxc/proc/** rw,
  deny /dev/.lxc/sys/** rw,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind),
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}

Best Answer

It looks like AppArmour is kicking in on the server. See the log file messages, which include this phrase:

apparmor="DENIED"

Unfortunately I can only advise you how to switch it off, which I wouldn't recommend. I'll see if I can find some instructions for mediating it...

Related Question