You are here
vigilian - Thu, 2016/02/25 - 13:19
Hi,
So it is a specific known problem with the nfs of your template?
I don't know why but only your template is unusable, every other vm or templates is working fine using the nfsclient but apparently not yours. Is it an old version or smething like that? I am always been denied from the service. : mount.nfs: access denied by server
and still the access is good and there is not firewall or things like that. so very stange
Is it a specific version of nfs which doesn't accept anonymous connection ?
Forum:
Tags:
Or maybe the nfs traffic have
Or maybe the nfs traffic have been denied and you authorized only the samba traffic?
Should work OOTB
sorry for the delay of
sorry for the delay of answer. I will reinstall it with the new templates. Like that it would be maybe more accurate.
I just realised that you are saying template!
That can be worked around but requires that NFS is installed and enabled on the host then passed through to the LXC guest. Because of security concerns it is generally not recommended that you do that.
See info online:
https://forum.proxmox.com/threads/nfs-server-inside-lxc.25762/
https://forum.proxmox.com/threads/is-it-possible-to-run-a-nfs-server-wit...
https://lists.linuxcontainers.org/pipermail/lxc-users/2015-March/008655....
http://tquerci.blogspot.com.au/2014/03/nfs-on-lxc-container.html
A better workaround would be to install your fileserver in a "proper" VM rather than a container...
mmmh now I understand better
mmmh now I understand better so no NFS for security risk. Understood then :)
then is there a difference between proxmox and docker?
Hi,
after thinking aobut it, can you confirm that nfs is deactivate in the lxc template in proxmox even if the host has nfs activated? and that's why I have access denied?
then what's the difference with docker since it hasn't any kernel too and so it use the host kernel? because in the ports you have open the nfs port too, why is that if it is deactivated? I guess it's not deactivated then?
NFS is enabled in all the containers
TBH I'm not very experienced with Docker but AFAIK the situation is the same re it having to be enabled on the host kernel. I also think that you need to launch it with the --privileged switch (so again you have the same sort of security concerns as LXC).
Regarding the ports being declared, we use the same set of ports to set the IPtables config for all the different builds so it is inherited from there. In consideration, perhaps we should not enable it by default for docker. Although on the flipside if someone wants to use it then perhaps it better that it's ready to go? I'd be interested to hear your thoughts.
Well good point, since when I
Well good point, since when I tried it was activated on my proxmox host(nfs backup for example), I don't know what I had to configure then but since it is a security concerns I will block it.
But I think then, that for the modificiation you should or we should do a dedicated page on the wiki then (since it seems to be a bit more complicated than just having the modules activated on the host) but to block it anyway by default. That seems to the more logical to me as a user.
Great idea!
Please feel free to make a start on that if you want. Our docs are a wiki and can be edited by any logged in user. I suggest that we start a "new child page" under the Tutorials / HOWTOs section.
Add new comment