Nfs
嘗試掛載由 Proxmox 5 機器導出的 NFS 共享時,如何修復“mount.nfs:訪問被拒絕……”?
我正在嘗試從 Proxmox 5 主機安裝 NFS 共享並遇到問題。我有以下兩台機器:
192.168.1.3 proxmox debian box (nfs-host) 192.168.1.31 ubuntu 16.04 (nfs-client)
/mnt/storage(NFS 客戶端)的權限:drwxrwxrwx 11 nobody nogroup 4096 Oct 7 10:28 storage
/etc/exports(NFS 主機)的內容:/mnt/storage 192.168.1.31(rw,sync,no_subtree_check)
showmount -e 192.168.1.3(NFS 客戶端)的輸出:Export list for 192.168.1.3: /mnt/storage 192.168.1.31嘗試從客戶端掛載失敗:
me@client:/mnt/storage$ sudo mount 192.168.1.3:/mnt/storage /mnt/storage mount.nfs: access denied by server while mounting 192.168.1.3:/mnt/storage我執行
exportfs -ra並重新啟動了 nfs 核心伺服器,但仍然沒有樂趣。我還嘗試了問題*mount.nfs 中的所有建議:在 Ubuntu 機器上安裝時伺服器拒絕訪問?*,但沒有什麼對我有用。底部只有一兩個答案與 docker 相關,而另一個答案的 IP 錯誤,兩者都與我無關。我可以 ping 兩台主機,兩台主機都可以訪問網際網路並互相看到,所以我認為這不是網路問題。
現在我
/var/log/messages在主機內部看到這些錯誤:Oct 7 10:06:36 pve kernel: [44667.325940] audit: type=1400 audit(1507385196.790:23): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/mnt/storage/" pid=15053 comm="mount.nfs4" fstype="nfs4" srcname="192.168.1.3:/export/storage" Oct 7 10:07:05 pve kernel: [44696.096558] audit: type=1400 audit(1507385225.559:24): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/mnt/storage/" pid=15112 comm="mount.nfs" fstype="nfs" srcname="192.168.1.3:/export/storage"
/etc/apparmor.d/lxc/根據要求,這裡是包含單詞的所有文件的內容mount:root@host:/etc/apparmor.d/lxc# ll total 24 drwxr-xr-x 2 root root 4096 Oct 6 13:24 . drwxr-xr-x 9 root root 4096 Oct 6 13:24 .. -rw-r--r-- 1 root root 479 Jun 30 05:01 lxc-default -rw-r--r-- 1 root root 528 Jun 30 05:01 lxc-default-cgns -rw-r--r-- 1 root root 544 Jun 30 05:01 lxc-default-with-mounting -rw-r--r-- 1 root root 527 Jun 30 05:01 lxc-default-with-nesting root@host:/etc/apparmor.d/lxc# cat lxc-default # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> # the container may never be allowed to mount devpts. If it does, it # will remount the host's devpts. We could allow it to do it with # the newinstance option (but, right now, we don't). deny mount fstype=devpts, } root@host:/etc/apparmor.d/lxc# cat lxc-default-cgns # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> # the container may never be allowed to mount devpts. If it does, it # will remount the host's devpts. We could allow it to do it with # the newinstance option (but, right now, we don't). deny mount fstype=devpts, mount fstype=cgroup -> /sys/fs/cgroup/**, } root@host:/etc/apparmor.d/lxc# cat lxc-default-with-mounting # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> # allow standard blockdevtypes. # The concern here is in-kernel superblock parsers bringing down the # host with bad data. However, we continue to disallow proc, sys, securityfs, # etc to nonstandard locations. mount fstype=ext*, mount fstype=xfs, mount fstype=btrfs, } root@host:/etc/apparmor.d/lxc# cat lxc-default-with-nesting # Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which # will source all profiles under /etc/apparmor.d/lxc profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) { #include <abstractions/lxc/container-base> #include <abstractions/lxc/start-container> deny /dev/.lxc/proc/** rw, deny /dev/.lxc/sys/** rw, mount fstype=proc -> /var/cache/lxc/**, mount fstype=sysfs -> /var/cache/lxc/**, mount options=(rw,bind), mount fstype=cgroup -> /sys/fs/cgroup/**, }
我在 proxmox 主機上進行了以下配置更改,
/etc/apparmor.d/lxc-default-cgns並且能夠成功安裝驅動器。/etc/apparmor.d/lxc-default-cgns
mount fstype=nfs*, mount options=(rw, bind, ro),
看起來 AppArmour 正在啟動伺服器。查看日誌文件消息,其中包括以下片語:
apparmor="DENIED"不幸的是,我只能建議您如何關閉它,我不建議這樣做。我會看看我是否能找到一些調解它的說明……