Cannout mount in LXC container: mount error(13): Permission denied

Written by - 0 comments

Published on - last updated on December 9th 2021 - Listed in Linux LXC Samba

On an Ubuntu 12.04 LTS server running as a LXC container, I got the following error, when I tried to mount a Windows/CIFS share:

/bin/mount -t cifs // /mnt/windowsmount -o rw,user=windowsuser,password=windowspass
mount error(13): Permission denied
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

 At first I thought the permission denied error was due to a wrong authentication on the Windows server, but dmesg gave me more insight:

[8189058.499216] type=1400 audit(1385456697.790:44): apparmor="DENIED" operation="mount" info="failed type match" error=-13 parent=27469 profile="lxc-container-default" name="/mnt/windowsmount" pid=27470 comm="mount.cifs" fstype="cifs" srcname="//" flags="rw"

The important information to get from this output is that apparmor denied the mount operation.
To allow mount within an LXC, the container's config needs to be adjusted.
The relevant config option is "lxc.aa_profile" which is part of a default LXC config on Ubuntu 12.04 but commented-out.
In Debian (Wheezy) this option needs to be manually added in the config file:

grep aa_profile /var/lib/lxc/mylxc/config
lxc.aa_profile = unconfined

 After a restart of the LXC (mylxc), the mount command was working:

/bin/mount -t cifs // /mnt/windowsmount -o rw,user=windowsupser,password=windowspass

ls -l /mnt/windowsmount
total 212
drwxr-xr-x 2 dpr dpr      0 May 14  2012 ./
drwxrwxr-x 6 dpr dpr   4096 Nov 26 07:58 ../
-rwxr-xr-x 0 dpr dpr 53270 Sep 22  2013 testpicture.jpg

Please note that this error only appears, when apparmor is installed on the physical host.

2021: Update for newer LXC version

The original article was written back in 2013 for an older LXC version. The same permission error still happens on the current LXC 4.x version on Ubuntu 20.04:

root@lxc:~# mount -t cifs // /mnt/windowsmount -o rw,user=domain\windowsuser,password=windowspass
mount error(13): Permission denied

dmesg on the host still reveals that Apparmor is blocking:

[Thu Dec  9 10:38:12 2021] FS-Cache: Netfs 'cifs' registered for caching
[Thu Dec  9 10:38:12 2021] Key type cifs.spnego registered
[Thu Dec  9 10:38:12 2021] Key type cifs.idmap registered
[Thu Dec  9 10:38:12 2021] CIFS: Attempting to mount //
[Thu Dec  9 10:38:12 2021] No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3), from CIFS (SMB1). To use the less secure SMB1 dialect to access old servers which do not support SMB3 (or SMB2.1) specify vers=1.0 on mount.
[Thu Dec  9 10:38:12 2021] Status code returned 0xc000006d STATUS_LOGON_FAILURE
[Thu Dec  9 10:38:12 2021] CIFS VFS: \\ Send error in SessSetup = -13
[Thu Dec  9 10:38:12 2021] CIFS VFS: cifs_mount failed w/return code = -13
[Thu Dec  9 10:39:22 2021] audit: type=1400 audit(1639042740.021:8961): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-inf-monui02-p_</var/lib/lxc>" name="/run/systemd/unit-root/" pid=2462436 comm="(ionclean)" srcname="/" flags="rw, rbind"

As the config syntax has changed in LXC 4.x, the Apparmor profile now needs to be set like this:

root@host:~# grep apparmor /var/lib/lxc/lxc/config
lxc.apparmor.profile = unconfined

Note: The default value in Ubuntu 20.04 is "generated"

After a LXC restart, the CIFS/SMB mount should now work.

Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder