Can't install kernel-nfs-server inside lxc container

Bug #1575757 reported by Dan Kegel
This bug affects 8 people
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)

Bug Description

I'm trying to virtualize a package that depends on NFS by installing it in an LXC container.

The commands

sudo apt-get install nfs-kernel-server
sudo lxc-create -n nfstest -t download -- -d ubuntu -r xenial -a amd64
sudo lxc-start -n nfstest
sudo lxc-attach -n nfstest apt-get update
sudo lxc-attach -n nfstest apt-get install nfs-kernel-server

should install NFS server software inside the container, but instead fail with

Not creating home directory `/var/lib/nfs'.
nfs-utils.service is a disabled or a static unit, not starting it.
Setting up nfs-kernel-server (1:1.2.8-9ubuntu12) ...
A dependency job for nfs-server.service failed. See 'journalctl -xe' for details.
nfs-server.service couldn't start.
Creating config file /etc/exports with new version
Creating config file /etc/default/nfs-kernel-server with new version
A dependency job for nfs-server.service failed. See 'journalctl -xe' for details.
invoke-rc.d: initscript nfs-kernel-server, action "start" failed.
dpkg: error processing package nfs-kernel-server (--configure):
 subprocess installed post-installation script returned error exit status 1
Processing triggers for libc-bin (2.23-0ubuntu3) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (229-4ubuntu4) ...
Errors were encountered while processing:
E: Sub-process /usr/bin/dpkg returned an error code (1)

sudo lxc-attach -n nfstest journalctl -xe reports:

Apr 27 15:42:59 nfstest systemd[1]: Failed to mount NFSD configuration filesystem
-- Subject: Unit proc-fs-nfsd.mount has failed
-- Defined-By: systemd
-- Support:
-- Unit proc-fs-nfsd.mount has failed.
-- The result is failed.

Presumably this is intended, and there is a way to configure lxc to allow
running nfs servers inside it (there are rumors of success on the web), but is silent on the issue,
and doesn't even mention the word nfs.
doesn't even mention lxc.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: lxc 2.0.0-0ubuntu2
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Apr 27 08:19:41 2016
InstallationDate: Installed on 2016-03-26 (32 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Beta amd64 (20160323)
PackageArchitecture: all
SourcePackage: lxc
UpgradeStatus: No upgrade log present (probably fresh install)
defaults.conf: = veth = lxcbr0 = up = 00:16:3e:xx:xx:xx

Revision history for this message
Dan Kegel (dank) wrote :
Revision history for this message
Dan Kegel (dank) wrote : did provide a workaround: in the section on nesting, it mentioned
that enabling nesting allowed all sorts of mounts. So I added = cgroup
lxc.aa_profile = lxc-container-default-with-nesting

to the container's config file, restarted the container, and was then able to install the package.

So consider this a minor doc enhancement request.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lxc (Ubuntu):
status: New → Confirmed
Revision history for this message
Anders Sandblad (arune) wrote :

I'm also troubled by this issue, but on LXD/LXC 2.0 (Ubuntu 16.04) but I have no idea on how to add those config keys, when doing lxc config edit <containername> and adding the keys I get:
Config parsing error: Bad key: lxc.aa_profile

Revision history for this message
Stéphane Graber (stgraber) wrote :

Anders, the LXD equivalent is setting the raw.lxc key to "lxc.aa_profile=unconfined".

Changed in lxc (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Justin (jsmilam) wrote :

My appologies if I'm missing something, but I cannot get the raw.lxc setting to work for lxc.aa_profile=unconfined. I've tried setting it but it doesn't seem to take. The .conf file that gets generated in /var/log/lxd/<container/lxc.conf contains two settings for lxc.aa_profile:

lxc.aa_profile = lxd-factual-shrew_</var/lib/lxd>//&:lxd-factual-shrew_<var-lib-lxd>:

It appears that the second entry is ignored. Is this expected? Is there a way to work around the first lxc.aa_profile setting being created?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I used this in the past:
lxc config set <containername> raw.lxc lxc.aa_profile=unconfined

I can confirm that after this the conf contains both lines as you outlined, but for me it worked to unconfine it. I had to restart the container to pick up the new profile thou - so maybe that applies to you as well?

Revision history for this message
Stéphane Graber (stgraber) wrote :

@Justin: The second entry isn't ignored, it will be used when the container starts. Though as Christian said, you do need to restart the container for this to apply.

Revision history for this message
Stéphane Graber (stgraber) wrote :
Download full text (6.2 KiB)

stgraber@dakara:~$ lxc launch ubuntu:16.04 nfs -c security.privileged=true -c raw.lxc=lxc.aa_profile=unconfined
Creating nfs
Starting nfs
stgraber@dakara:~$ lxc exec nfs bash
root@nfs:~# apt install nfs-kernel-server
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  keyutils libnfsidmap2 libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libtirpc1 nfs-common python python-minimal python2.7 python2.7-minimal
Suggested packages:
  watchdog python-doc python-tk python2.7-doc binutils binfmt-support
The following NEW packages will be installed:
  keyutils libnfsidmap2 libpython-stdlib libpython2.7-minimal libpython2.7-stdlib libtirpc1 nfs-common nfs-kernel-server python python-minimal python2.7
  python2.7-minimal rpcbind
0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.
Need to get 4383 kB of archives.
After this operation, 18.5 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 xenial/main amd64 libnfsidmap2 amd64 0.25-5 [32.2 kB]
Get:2 xenial-updates/main amd64 libpython2.7-minimal amd64 2.7.12-1ubuntu0~16.04.1 [339 kB]
Get:3 xenial-updates/main amd64 python2.7-minimal amd64 2.7.12-1ubuntu0~16.04.1 [1295 kB]
Get:4 xenial/main amd64 python-minimal amd64 2.7.11-1 [28.2 kB]
Get:5 xenial-updates/main amd64 libpython2.7-stdlib amd64 2.7.12-1ubuntu0~16.04.1 [1884 kB]
Get:6 xenial-updates/main amd64 python2.7 amd64 2.7.12-1ubuntu0~16.04.1 [224 kB]
Get:7 xenial/main amd64 libpython-stdlib amd64 2.7.11-1 [7656 B]
Get:8 xenial/main amd64 python amd64 2.7.11-1 [137 kB]
Get:9 xenial/main amd64 libtirpc1 amd64 0.2.5-1 [75.6 kB]
Get:10 xenial/main amd64 keyutils amd64 1.5.9-8ubuntu1 [47.1 kB]
Get:11 xenial/main amd64 rpcbind amd64 0.2.3-0.2 [40.3 kB]
Get:12 xenial/main amd64 nfs-common amd64 1:1.2.8-9ubuntu12 [185 kB]
Get:13 xenial/main amd64 nfs-kernel-server amd64 1:1.2.8-9ubuntu12 [88.0 kB]
Fetched 4383 kB in 1s (3169 kB/s)
Selecting previously unselected package libnfsidmap2:amd64.
(Reading database ... 25465 files and directories currently installed.)
Preparing to unpack .../libnfsidmap2_0.25-5_amd64.deb ...
Unpacking libnfsidmap2:amd64 (0.25-5) ...
Selecting previously unselected package libpython2.7-minimal:amd64.
Preparing to unpack .../libpython2.7-minimal_2.7.12-1ubuntu0~16.04.1_amd64.deb ...
Unpacking libpython2.7-minimal:amd64 (2.7.12-1ubuntu0~16.04.1) ...
Selecting previously unselected package python2.7-minimal.
Preparing to unpack .../python2.7-minimal_2.7.12-1ubuntu0~16.04.1_amd64.deb ...
Unpacking python2.7-minimal (2.7.12-1ubuntu0~16.04.1) ...
Selecting previously unselected package python-minimal.
Preparing to unpack .../python-m...


Revision history for this message
Stéphane Graber (stgraber) wrote :

There's nothing particularly safe for us to do here out of the box.
Using an alternative profile or appending to the profile (in LXD's case) is your best bet.

Changed in lxc (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers