Can't mount nfs remote (In XO / Settings / Remotes )

Question

Can't mount nfs remote (In XO / Settings / Remotes )

ieugen opened this issue 4 years ago · comments

Hello,

I've tried using the docker image and it failed to mount the nfs remote.

Command failed with exit code 32: mount -o vers=3 -t nfs 192.168.100.7:/volume1/xcp-01-backup /run/xo-server/mounts/d8efc3a5-7b13-4992-88e9-8d3555969255 mount.nfs: access denied by server while mounting 192.168.100.7:/volume1/xcp-01-backup

From the host, the mount works mount -o vers=3 -t nfs 192.168.100.7:/volume1/xcp-01-backup /mnt .
I'm running docker with this command:

docker run -itd --name xo \
     --restart unless-stopped \
     --cap-add sys_admin \
     --stop-timeout 60 \
     -p 80:80 \
     -v /var/lib/xo-server/server-data:/var/lib/xo-server \
     -v /var/lib/xo-server/redis-data:/var/lib/redis \
      ronivay/xen-orchestra

The VM has two network interfaces.
I'm running debian 10.5.

uname -a
Linux xo 4.19.0-10-amd64 #1 SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux

docker --version
Docker version 19.03.13, build 4484c46d9d

Roni Väyrynen · Answer 1 · Fri Sep 25 2020 18:37:19 GMT+0800 (China Standard Time)

Hello,

It indeed seems that cap_sys_admin isn't enough to mount the NFS share inside container (even though it's documented so that it should). Replacing --cap-add sys_admin with --privileged works just fine.

I tried to look around a bit to figure out more restricted way of running the container and still able to mount NFS share, but no luck. Use this as a workaround if you want to enable the NFS remote option inside XO in container. Otherwise you may mount this share to the host and bind mount it to container and use local remote.

Roni Väyrynen · Answer 2 · Fri Sep 25 2020 18:56:28 GMT+0800 (China Standard Time)

Actually, was able to figure this out. It's because of apparmor which denies the mounting operation. I assume you have it running as well, but can verify with apparmor_status

Try with this and let me know if it works for you:

docker run -itd --name xo \
     --restart unless-stopped \
     --cap-add sys_admin \
     --security-opt apparmor:unconfined \
     --stop-timeout 60 \
     -p 80:80 \
     -v /var/lib/xo-server/server-data:/var/lib/xo-server \
     -v /var/lib/xo-server/redis-data:/var/lib/redis \
      ronivay/xen-orchestra

Eugen Stan · Answer 3 · Fri Sep 25 2020 19:16:31 GMT+0800 (China Standard Time)

Thank you for the reply and for looking into this.
I've tested it myself on Debian 10 and it works.

Starting with Debian 10 AppArmor is enabled by default.
It's very similar to other distributions.

I think this should be included in the docs.