While using LXC, if you just naively install nfs-kernel-server and expect
magic to happen, you're wrong. proc-fs-nfsd will miserably fail spewing
this message:
mount: cannot mount nfsd read-only
Since read-only rarely fails, this smells really bad. I know. But the smell's so strong that google cannot help bu to pop the right corn: https://github.com/lxc/lxd/issues/2703
LXC, even when privileged, is prohibited from performing certain actions by AppArmor. Yes, this totally requires human intervention, and that's the whole point of this task. I need to talk AppArmor into give up this "mount=nfsd" thingy. If this was LXD, things might have been easier, but fuck that.
I hate this, but it's simple. Put the following into AppArmor profile path
(/etc/apparmor.d/lxc/lxc-default-with-nfsd):
profile lxc-container-default-with-nfsd flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
deny mount fstype=devpts,
mount fstype=nfsd,
mount fstype=rpc_pipefs,
mount fstype=cgroup -> /sys/fs/cgroup/**,
}
This might look complicated, but 1/3 is copy-pasted from other profile, and the rest is from the issue ticket.
AppArmor must be manually informed about profile changes.
apparmor_parser -r /etc/apparmor.d/lxc-containers
Append the following to the Proxmox container profile under /etc/pve/lxc:
lxc.apparmor.profile: lxc-container-default-with-nfsd
Note that if you're running an older version, the config key used to be
lxc.aa_profile, but is deprecated. Just my two cents.