Can't mount NFS share within the container whitout the --privileged flag

[alexpov]

I'm running an application inside ubuntu:22.04 container (with systemd) that execute NFS mount command to external mounts.

TL:DR

I can execute successfully the mount command when the container is running with --privileged flag BUT when running the container without it, I'm getting mount.nfs: mount(2): Permission denied error. I'm looking for a way not to use the privileged flag.

Details

NFS Server
In /etc/exports I have this mount /mnt/nfs_share *(rw,sync,no_subtree_check)

NFS Client

Dockerfile

FROM ubuntu:22.04

RUN apt-get update && \
    apt-get upgrade -y && \
    apt-get install -y \
    nfs-common \
    systemd init

ENTRYPOINT ["/sbin/init"]

To build and run the container use the following commands

podman build -t nfs-client-image .
podman run -d --user="$(id -ur):$(id -gr)" --userns=keep-id --group-add=keep-groups --network host --cap-add ALL nfs-client-image

• I run the container as root
• I tried to disable the SELinux with --security-opt label=disable flag it didn't help.
• I run with --cap-add ALL to make sure it's not an issue related to a specific cap

Inside the container, to create the share:

podman exec -it <container-name> /bin/bash
mkdir -p /mnt/nfs_clientshare
mount -t nfs <nfs-server-ip>:/mnt/nfs_share /mnt/nfs_clientshare -rv -o vers=4,actimeo=60,nolock,nconnect=16,noexec,nosuid,nodev

Getting this error:

root@4baaad902b98:/# mount -t nfs 172.17.177.169:/mnt/nfs_share /mnt/nfs_clientshare -rv -o vers=4,actimeo=60,nolock,nconnect=16,noexec,nosuid,nodev
mount.nfs: timeout set for Sun Nov 19 14:20:17 2023
mount.nfs: trying text-based options 'actimeo=60,nolock,nconnect=16,vers=4.2,addr=172.17.177.169,clientaddr=10.88.0.16'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'actimeo=60,nolock,nconnect=16,vers=4,minorversion=1,addr=172.17.177.169,clientaddr=10.88.0.16'
mount.nfs: mount(2): Permission denied
mount.nfs: trying text-based options 'actimeo=60,nolock,nconnect=16,vers=4,addr=172.17.177.169,clientaddr=10.88.0.16'
mount.nfs: mount(2): Permission denied
mount.nfs: access denied by server while mounting 172.17.177.169:/mnt/nfs_share

• I couldn't find any helpful information in the NFS server logs
• Firewall is disabled ufw status -> Status: inactive
• I even tried to mount the insecure share, /mnt/nfs_share *(rw,sync,no_subtree_chec,insecure), same error

root@apovichuk:~# podman version
Version:      3.4.4
API Version:  3.4.4
Go Version:   go1.18.1
Built:        Thu Jan  1 02:00:00 1970
OS/Arch:      linux/amd64

[rhatdan]

Mounting NFS requires CAP_SYS_ADMIN so you could do --cap-add CAP_SYS_ADMIN

You are not allowed to do this in Rootless mode. Theoretically you could use a fuse implementation of NFS and then you could mount it within a user namespace without CAP_SYS_ADMIN.

[alexpov]

I used CAP_SYS_ADMIN, it doesn't help. As I described, I enabled all the caps, still doesn't work
Also, I run the container as root

[rhatdan]

Try with seccomp disabled.
--security-opt seccomp=unconfined

[alexpov]

Forgot to update, it worked after I disbaled the AppArmor using --security-opt apparmor=unconfined.

I compared 2 configuration, one with privileged flag and one without. The container with the flag didn't have any AppArmor profile assigned to it. The container without privileged flag had default apprmor profile assigned "AppArmorProfile": "containers-default-0.44.4". Looks like the default profile is denying mounts:

apparmor_linux_template

Ideally I would like to write custom profile same as the default one and only change the mount to allow.. however, I didn't find a way to print/dump the profile content. I would appreciate a reference on how to get the exact profile that is generated in my setup. I'm using Ubuntu 22.04