Proxmox + NFS in LXC containers

Homelab May 1, 2024

If you run an application that needs access to shared network storage like NFS or CIFS/Samba, this is not (directly) supported in unprivileged containers. You can mount the share on the host the regular way; you make a folder, /mnt/share, and mount the shared network resource there. This folder can than be used as a (regular) mount point in an LXC container through the GUI, no need to mount anything inside the container.

The main advantage is that the container is of the "unprivileged" kind, which is a good security practice. The main disadvantage is that you cannot migrate the container to another host that doesn't have this network share mounted. So you have to manually mount the share on each host (although I haven't tested if migration even works then).

As I only use an NFS share in a container that isn't publicly exposed, I think it's safe enough to use a privileged container instead. When using a privileged LXC, the container can mount shares directly, just like a VM. Inside the LXC you can mount the shared folder as usual.

Gotchas

There are some things to think about:

  • If you use an unprivileged container and mount the NFS share on the host, the host needs access to the share and the share can be added to every container. When using a privileged container, you can only allow the specific container (IP address) to access the NFS share.
  • If you migrate an LXC container to another Proxmox host, the container is stopped on the old host, replicated on the new host, started on the new host and destroyed on the old host. This will result in downtime during the replication step. When using a VM, there is virtually no downtime.
  • Docker inside an LXC doesn't like the container to be privileged, something with AppArmor. You have to open the config file /etc/pve/lxc/xyz.conf and add the lines below to make Docker start (https://forum.proxmox.com/threads/run-docker-inside-lxc.112004/).
# xyz.conf
...
lxc.apparmor.profile: unconfined
lxc.cgroup2.devices.allow: a
lxc.cap.drop:
  • When using a VM, you don't have all the disadvantages mentioned above. The VM is isolated from the host, it can run Docker and NFS without security modifications and it has a dedicated IP, so access to the share can be limited to the VM only. It does use a little bit more resources though.

Tags

Joep van de Laarschot

Recommended for you