Cannout mount in LXC container: mount error(13): Permission denied

Written by - 0 comments

Published on November 28th 2013 - Listed in Linux LXC

On an Ubuntu 12.04 LTS server running as a LXC container, I got the following error, when I tried to mount a Windows/CIFS share:

/bin/mount -t cifs // /mnt/windowsmount -o rw,user=windowsuser,password=windowspass
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

 At first I thought the permission denied error was due to a wrong authentication on the Windows server, but dmesg gave me more insight:

[8189058.499216] type=1400 audit(1385456697.790:44): apparmor="DENIED" operation="mount" info="failed type match" error=-13 parent=27469 profile="lxc-container-default" name="/mnt/windowsmount" pid=27470 comm="mount.cifs" fstype="cifs" srcname="//" flags="rw"

The important information to get from this output is that apparmor denied the mount operation.
To allow mount within an LXC, the container's config needs to be adjusted.
The relevant config option is "lxc.aa_profile" which is part of a default LXC config on Ubuntu 12.04 but commented-out.
In Debian (Wheezy) this option needs to be manually added in the config file:

grep aa_profile /var/lib/lxc/mylxc/config
lxc.aa_profile = unconfined

 After a restart of the LXC (mylxc), the mount command was working:

/bin/mount -t cifs // /mnt/windowsmount -o rw,user=windowsupser,password=windowspass

ls -l /mnt/windowsmount
total 212
drwxr-xr-x 2 dpr dpr      0 May 14  2012 ./
drwxrwxr-x 6 dpr dpr   4096 Nov 26 07:58 ../
-rwxr-xr-x 0 dpr dpr 53270 Sep 22  2013 testpicture.jpg

Please note that this error only appears, when apparmor is installed on the physical host.

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.