Sergey Romanov's picture
Sergey Romanov - Mon, 2023/06/26 - 14:37

I wanted to create NFS share. I did that successfully during my tests on privileged container. now I try to setup more secure environment. When I create NFS share in webmin i get

rpc.nfsd: no process found
Stopping nfs-kernel-server (via systemctl): nfs-kernel-server.service.
Starting nfs-kernel-server (via systemctl): nfs-kernel-server.serviceA dependency job for nfs-server.service failed. See 'journalctl -xe' for details.
failed!

 

I stared investigation and I see that dependency proc service not running and I cannot start it.

​​​​root@nas ~# mount | grep nfsd
root@nas ~# mount -v -t nfsd nfsd /proc/fs/nfsd
mount: /proc/fs/nfsd: permission denied.
root@nas ~# ls -la /proc/fs    
total 0
dr-xr-xr-x   7 nobody nogroup 0 Jun 26 01:12 .
dr-xr-xr-x 539 nobody nogroup 0 Jun 26 01:12 ..
dr-xr-xr-x   9 nobody nogroup 0 Jun 26 11:05 ext4
dr-xr-xr-x   9 nobody nogroup 0 Jun 26 11:05 jbd2
dr-xr-xr-x   3 nobody nogroup 0 Jun 26 01:12 lockd
dr-xr-xr-x   3 nobody nogroup 0 Jun 26 11:05 nfs
dr-xr-xr-x   2 nobody nogroup 0 Jun 26 01:12 nfsd

When I try to change permissions or ownership of those directories, I get operation is not permitted.

Forum: 
Support
Tags: 
nfs
lxc
Jeremy Davis's picture

Jeremy Davis - Wed, 2023/06/28 - 02:18

If you want NFS shares and are concerned about security, it's probably best to run a "proper" VM (rather than within a container).

If you are only sharing with trusted hosts and security isn't such an issue, then AFAIK you should be able to get it to work in a privileged container and/or with nesting enabled.

Running as a privileged container will likely be relatively secure (it's not as bad as Docker's "privileged" containers), but will have knock on effects that may cause issues with some services (some of the systemd hardening measures don't work in a privileged container - so some services will need modification to run).

Please be extra aware, that enabling nesting on a privileged container does mean that the root user within the container can potentially escape (and gain some degree of control over the host root account). Hence why I suggest using a "proper" VM if you plan to expose the NFS shares to untrusted end users. Note that whilst enabling nesting on unprivileged containers does still have implications to the degree of isolation, enabling nesting on an unprivileged container doesn't have the same risk (because unlike in a privileged container, the root user within the unprivileged container maps to an unprivileged user on the host).

If you'd like to persevere, here are a couple of promising looking results from google:

Add new comment