如何修复“mount.nfs:访问拒绝…”“当试图挂载由Proxmox 5机器导出的NFS共享时？

Question

我正在尝试从Proxmox 5主机挂载NFS共享，并出现问题。我有以下两台机器：

192.168.1.3    proxmox debian box (nfs-host)
192.168.1.31   ubuntu 16.04 (nfs-client)

/mnt/storage (NFS客户端)的权限：

drwxrwxrwx 11 nobody nogroup 4096 Oct  7 10:28 storage

/etc/exports (NFS主机)的内容：

/mnt/storage 192.168.1.31(rw,sync,no_subtree_check)

showmount -e 192.168.1.3输出(NFS客户端)：

Export list for 192.168.1.3:
/mnt/storage 192.168.1.31

试图从客户端挂载失败：

me@client:/mnt/storage$ sudo mount 192.168.1.3:/mnt/storage /mnt/storage
mount.nfs: access denied by server while mounting 192.168.1.3:/mnt/storage

我运行exportfs -ra并重新启动nfs内核服务器，但仍然没有喜悦。我也尝试了mount.nfs:在Ubuntu机器上安装时，服务器拒绝访问？问题中的所有建议，但是没有什么对我有用。底部只有一两个与码头有关的答案，另一个有错误的IP，两者都与我无关。

我可以平两台主机，两台主机都可以访问互联网，并且可以看到对方，所以我不认为这是一个网络问题。

现在，我在主机上看到了/var/log/messages中的这些错误：

Oct  7 10:06:36 pve kernel: [44667.325940] audit: type=1400 audit(1507385196.790:23): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/mnt/storage/" pid=15053 comm="mount.nfs4" fstype="nfs4" srcname="192.168.1.3:/export/storage"
Oct  7 10:07:05 pve kernel: [44696.096558] audit: type=1400 audit(1507385225.559:24): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/mnt/storage/" pid=15112 comm="mount.nfs" fstype="nfs" srcname="192.168.1.3:/export/storage"

根据请求，以下是/etc/apparmor.d/lxc/中包含单词mount的所有文件的内容：

root@host:/etc/apparmor.d/lxc# ll
total 24
drwxr-xr-x 2 root root 4096 Oct  6 13:24 .
drwxr-xr-x 9 root root 4096 Oct  6 13:24 ..
-rw-r--r-- 1 root root  479 Jun 30 05:01 lxc-default
-rw-r--r-- 1 root root  528 Jun 30 05:01 lxc-default-cgns
-rw-r--r-- 1 root root  544 Jun 30 05:01 lxc-default-with-mounting
-rw-r--r-- 1 root root  527 Jun 30 05:01 lxc-default-with-nesting

root@host:/etc/apparmor.d/lxc# cat lxc-default
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
}



root@host:/etc/apparmor.d/lxc# cat lxc-default-cgns
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}



root@host:/etc/apparmor.d/lxc# cat lxc-default-with-mounting
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-mounting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data.  However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=btrfs,
}



root@host:/etc/apparmor.d/lxc# cat lxc-default-with-nesting
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-with-nesting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  #include <abstractions/lxc/start-container>

  deny /dev/.lxc/proc/** rw,
  deny /dev/.lxc/sys/** rw,
  mount fstype=proc -> /var/cache/lxc/**,
  mount fstype=sysfs -> /var/cache/lxc/**,
  mount options=(rw,bind),
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}

Answer 1

我在proxmox主机上对/etc/apparmor.d/lxc-default-cgns进行了以下配置更改，并成功地挂载了驱动器。

/etc/apparmor.d/lxc-default-cgns

  mount fstype=nfs*,
  mount options=(rw, bind, ro),

Answer 2

如果您处理Proxmox -请尝试考虑，在lxc特性中有一个选项--有一个NFS选项

Answer 3

在服务器上的/etc/export文件中

/Path/to/export 192.168.1.0/24(rw,sync,fsid=0,no_root_squash,crossmnt,no_subtree_check,no_acl)