NFS homedir, Snaps and Apparmor

Support and Help
1

I’ll start by saying I wasn’t sure how to file this at all. Desktop? Security? New install? Snaps? I’m going with the most generic but if that’s incorrect please move it.

Ubuntu Version:
24.04 LTS

Desktop Environment (if applicable):
GNOME

Problem Description:
I want to move back to centralized user for all the hosts in my home with profiles on server but can’t get snaps to work with this setup

  • On my server I configured NFSv4 and exported.
  • On my freshly installed ubuntu 24.04 LTS client system I created /mnt/home and configured /etc/fstab with the NFS so that it automounts on boot
  • Based on several old snap bug reports I then did a --bind mount from /mnt/home to /home
  • tried to get firefox to launch

exports

/mnt/profiles/user 192.168.1.11(rw,async,root_squash,all_squash,crossmnt,anonuid=1000)

client fstab

192.168.1.131:/mnt/profiles /mnt/home nfs4 rw,async,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.11,local_lock=none,addr=192.168.1.131 0 0
/mnt/home /home none bind

the system now boots correctly, logs in and and loads the profiles correctly but any attempt to use a snap fails with apparmor DENIED messages

failure logs

Apr 19 00:59:35 testhost kernel: audit: type=1400 audit(1745038775.148:466): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name=2F686F6D652F776272622F736E61702F66697265666F782F636F6D6D6F6E2F2E6D6F7A>
Apr 19 00:59:35 testhost kernel: audit: type=1400 audit(1745038775.178:467): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/user/snap/firefox/common/.cache/gdk-pixbuf-loaders.cache" pid=4>
Apr 19 00:59:35 testhost kernel: audit: type=1400 audit(1745038775.198:468): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/user/snap/firefox/6042/.config/pulse/" pid=4368 comm="threaded->
Apr 19 00:59:35 testhost kernel: audit: type=1400 audit(1745038775.198:469): apparmor="DENIED" operation="rmdir" class="file" profile="snap.firefox.firefox" name="/home/user/snap/firefox/6042/.config/pulse/" pid=4368 comm="threaded>
Apr 19 00:59:35 testhost firefox_firefox.desktop[4368]: Failed to load cookie file from cookie: Permission denied
Apr 19 00:59:35 testhost kernel: audit: type=1400 audit(1745038775.200:470): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/user/snap/firefox/6042/.config/pulse/cookie" pid=4368 comm="thr>
Apr 19 00:59:35 testhost kernel: audit: type=1400 audit(1745038775.200:471): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/user/snap/firefox/6042/.config/pulse/cookie" pid=4368 comm="thr>
Apr 19 00:59:35 testhost kernel: audit: type=1400 audit(1745038775.206:472): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/user/snap/firefox/common/.cache/event-sound-cache.tdb.OptiPlex->
Apr 19 00:59:35 testhost kernel: audit: type=1400 audit(1745038775.213:473): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/user/snap/firefox/common/.cache/event-sound-cache.tdb.Op

Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[17984]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 129: /home/user/snap/snapd-desktop-integration/253/.config/u>
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18051]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 289: /home/user/snap/snapd-desktop-integration/253/.config/u>
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18052]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 290: /home/user/.config/user-dirs.dirs: Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18053]: cp: cannot open '/home/user/.config/user-dirs.locale' for reading: Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18054]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 295: /home/user/.config/user-dirs.locale: Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[17984]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 129: /home/user/snap/snapd-desktop-integration/253/.config/u>
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18055]: Can't save user-dirs.dirs
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[17984]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 129: /home/user/snap/snapd-desktop-integration/253/.config/u>
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18074]: rm: cannot remove '/home/user/snap/snapd-desktop-integration/253/.local/share/themes': Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[17984]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 439: /home/user/snap/snapd-desktop-integration/253/.config/f>
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18075]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/253/.local/share/themes': Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18076]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/253/.themes': Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18079]: rm: cannot remove '/home/user/snap/snapd-desktop-integration/common/.cache/gio-modules'
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18081]: rm: cannot remove '/home/user/snap/snapd-desktop-integration/253/.local/share/glib-2.0/schemas'
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18079]: : Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18081]: : Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18083]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/gio-modules/libdconfsettings.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18083]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/gio-modules/libgioenvironmentproxy.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18083]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/gio-modules/libgiognomeproxy.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18083]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/gio-modules/libgiognutls.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18083]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/gio-modules/libgiolibproxy.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18091]: Unable to open directory /home/user/snap/snapd-desktop-integration/common/.cache/gio-modules: Error opening directory “/home/user/snap/snapd-deskt>
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18095]: rm: cannot remove '/home/user/snap/snapd-desktop-integration/common/.cache/gdk-pixbuf-loaders.cache': Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[17984]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 533: /home/user/snap/snapd-desktop-integration/common/.cache>
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18097]: rm: cannot remove '/home/user/snap/snapd-desktop-integration/253/.local/share/icons': Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18105]: rm: cannot remove '/home/user/snap/snapd-desktop-integration/253/.config/ibus/bus': Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18108]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/253/.config/ibus/bus': Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18113]: rm: cannot remove '/home/user/snap/snapd-desktop-integration/common/.cache/immodules': Permission denied
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-am-et.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-broadway.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-cedilla.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-cyrillic-translit.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-fcitx.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-ibus.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-inuktitut.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-ipa.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-multipress.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-thai.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-ti-er.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-ti-et.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-viqr.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-wayland.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-waylandgtk.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[18118]: ln: failed to create symbolic link '/home/user/snap/snapd-desktop-integration/common/.cache/immodules/im-xim.so': File exists
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[17984]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 627: /home/user/snap/snapd-desktop-integration/common/.cache>
Apr 18 22:07:56 testhost snapd-desktop-integration.snapd-desktop-integration[17984]: /snap/snapd-desktop-integration/253/gnome-platform/command-chain/desktop-launch: line 638: /home/user/snap/snapd-desktop-integration/253/.last_rev

I’ve configured the /etc/apparmor.d/tunables/home to allow /home/ and /mnt/home/ but this does not permit the firefox snap to load, it gets stuck at profile creation. (although it successfully creates all the files and directories)

# @{HOMEDIRS} is a space-separated list of where user home directories
# are stored, for programs that must enumerate all home directories on a
# system.
@{HOMEDIRS}=/home/ /mnt/home/

# @{HOME} is a space-separated list of all user home directories. While
# it doesn't refer to a specific home directory (AppArmor doesn't
# enforce discretionary access controls) it can be used as if it did
# refer to a specific home directory
@{HOME}=@{HOMEDIRS}/*/ /root/ /home/ /mnt/home/

Relevant System Information:
regular desktop w/ i5 and 16GB RAM, fresh install of 24.04 fully patched, can try in a vm if that might help

What I’ve Tried:

  • googled and read every snap apparmor nfs item I could find on the topic (and there are a many older ones) but i get the impression tunables/home should fix
  • validated I have rw on the NFS mount and that its otherwise working (although perhaps I’m missing an obscure option since ln seems to fail the most ?)
  • validated that 2 different snaps have the problem (firefox and steam)
  • many reboots, daemon-reloads, apparmor_parser -r , mounts, unmounts, nfs options, and log file reviews
  • aa-status and complain

I would also love to know if there are better tools for troubleshooting this or any other hints or pointers

2

Hello and welcome to the community!

Maybe I missed it but did you try
sudo snap set system homedirs=/mnt/home/
as found at Home directories outside of ‘/home’. There are also suggestions for Bind mount home directories on that page.

1 Like
3

thank you for the reply, I tried very similar things but just to make sure I went and tried all the suggestions on that page again

I ran

sudo snap unset system homedirs

then set it back to /mnt/home with

sudo snap set system homedirs=/mnt/home

which is the location of the NFS mount - when used in conjunction with a bind mount I think this is correct but I tied again pointing the snap homdir at the bind mount at /home as well

sadly still the same errors. screenshots are tricky without a functional browser but here is a picture of the NS_ERROR_FILE_ACCESS_DENIED

image
image858×267 78 KB

4

Perhaps this could be solved using snaps removable-media interface as suggested by @ogra in this thread.

5

Is your NFS mount using the no_root_squash option? IIRC that is required…
(user_allow_other might additionally be a good idea too)

EDIT: oops, sorry, you showed it above, try to switch from root_squash to no_root_squash

6

no_root_squash did not change anything. firefox snap still creates the ~/snap/ and sub-directories successfully but still gets the error attempting to create the profile.

I’m a little confused about the user_allow_other instruction. All the documentation I can find for it references fuse, I wasn’t aware that NFS used fuse.

I’m still learning about apparmor profiles but it seems like the profile that comes with the snap in /var/lib/snapd/apparmor/profiles/ does not work with NFS, its giving DENIED on simple comms like touch or file

(edited for grammar / completeness)

7

just for testing (and to confirm NFS, and so I could paste here from a browser on a failing computer) I’ve setup a different computer and set the apparmor profile /var/lib/snapd/apparmor/profiles/snap.firefox.firefox to complain and firefox runs correctly. of course this level of security is completely inviable :sweat_smile:

enforce

Apr 24 19:42:42 OptiPlex-7040 kernel: audit: type=1400 audit(1745538162.132:3800): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name=2F686F6D652F776272622F736E61702F66697265666F782F636F6D6D6F6E2F2E6D6F7A696C6C612F66697265666F782F75326B70626277392E44656661756C7420557365722F74696D65732E6A736F6E pid=191556 comm="firefox" requested_mask="wc" denied_mask="wc" fsuid=1001 ouid=1000
Apr 24 19:42:42 OptiPlex-7040 kernel: audit: type=1400 audit(1745538162.160:3801): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/common/.cache/gdk-pixbuf-loaders.cache" pid=191556 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1000
Apr 24 19:42:42 OptiPlex-7040 kernel: audit: type=1400 audit(1745538162.180:3802): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/6042/.config/pulse/" pid=191556 comm="threaded-ml" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1000
Apr 24 19:42:42 OptiPlex-7040 kernel: audit: type=1400 audit(1745538162.180:3803): apparmor="DENIED" operation="rmdir" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/6042/.config/pulse/" pid=191556 comm="threaded-ml" requested_mask="d" denied_mask="d" fsuid=1001 ouid=1000
Apr 24 19:42:42 OptiPlex-7040 kernel: audit: type=1400 audit(1745538162.182:3804): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/6042/.config/pulse/cookie" pid=191556 comm="threaded-ml" requested_mask="wrc" denied_mask="wrc" fsuid=1001 ouid=1000
Apr 24 19:42:42 OptiPlex-7040 kernel: audit: type=1400 audit(1745538162.182:3805): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/6042/.config/pulse/cookie" pid=191556 comm="threaded-ml" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1000
Apr 24 19:42:42 OptiPlex-7040 kernel: audit: type=1400 audit(1745538162.189:3806): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/common/.cache/event-sound-cache.tdb.OptiPlex-7040.x86_64-pc-linux-gnu" pid=191556 comm="firefox" requested_mask="wrc" denied_mask="wrc" fsuid=1001 ouid=1000
Apr 24 19:42:42 OptiPlex-7040 kernel: audit: type=1400 audit(1745538162.199:3807): apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/common/.cache/event-sound-cache.tdb.OptiPlex-7040.x86_64-pc-linux-gnu" pid=191556 comm="firefox" requested_mask="wrc" denied_mask="wrc" fsuid=1001 ouid=1000
Apr 24 19:59:59 OptiPlex-7040 kernel: [drm:retrieve_link_cap [amdgpu]] *ERROR* retrieve_link_cap: Read receiver caps dpcd data failed.
Apr 24 20:19:05 OptiPlex-7040 kernel: perf: interrupt took too long (3182 > 3165), lowering kernel.perf_event_max_sample_rate to 62000
Apr 24 20:44:09 OptiPlex-7040 kernel: audit: type=1400 audit(1745541849.643:3808): apparmor="STATUS" operation="profile_replace" profile="unconfined" name="snap.firefox.firefox" pid=193716 comm="apparmor_parser"
Apr 24 20:44:15 OptiPlex-7040 kernel: audit: type=1400 audit(1745541855.121:3809): apparmor="DENIED" operation="open" class="file" profile="snap-update-ns.firefox" name="/proc/193741/maps" pid=193741 comm="5" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
Apr 24 20:44:15 OptiPlex-7040 kernel: audit: type=1400 audit(1745541855.129:3810): apparmor="DENIED" operation="open" class="file" profile="snap-update-ns.firefox" name="/home/wbrb/" pid=193741 comm="5" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1000

complain

Apr 24 20:44:15 OptiPlex-7040 kernel: audit: type=1400 audit(1745541855.155:3811): apparmor="ALLOWED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/6042/.last_revision" pid=193719 comm="desktop-launch" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1000
Apr 24 20:44:15 OptiPlex-7040 kernel: audit: type=1400 audit(1745541855.158:3812): apparmor="ALLOWED" operation="file_perm" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/6042/.last_revision" pid=193719 comm="desktop-launch" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1000
Apr 24 20:44:15 OptiPlex-7040 kernel: audit: type=1400 audit(1745541855.163:3813): apparmor="ALLOWED" operation="chmod" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/6042/.config/" pid=193752 comm="chmod" requested_mask="w" denied_mask="w" fsuid=1001 ouid=1000
Apr 24 20:44:15 OptiPlex-7040 kernel: audit: type=1400 audit(1745541855.180:3814): apparmor="ALLOWED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/common/.cache/desktop-runtime-date" pid=193754 comm="touch" requested_mask="wc" denied_mask="wc" fsuid=1001 ouid=1000
Apr 24 20:44:15 OptiPlex-7040 kernel: audit: type=1400 audit(1745541855.213:3815): apparmor="ALLOWED" operation="open" class="file" profile="snap.firefox.firefox" name="/home/wbrb/snap/firefox/6042/.config/user-dirs.dirs" pid=193719 comm="desktop-launch" requested_mask="r" denied_mask="r" fsuid=1001 ouid=1000```
8

Oh, interesting, your owner (ouid) does not match the id of executing user (fsuid) and the apparmor profile for the snap home interface actually enforces that owner needs to match executing user …

I’m not sure how to overcome this, but this is definitely the root of your issue …

ogra@styx:~$ grep owner /var/lib/snapd/apparmor/profiles/snap*|grep firefox|grep "@{HOME}/ "
/var/lib/snapd/apparmor/profiles/snap.firefox.firefox:owner @{HOME}/ r,
/var/lib/snapd/apparmor/profiles/snap.firefox.geckodriver:owner @{HOME}/ r,
/var/lib/snapd/apparmor/profiles/snap-update-ns.firefox:  owner @{HOME}/ r,
ogra@styx:~$
9

thank you @ogra its working

I tried idmap but failed, based on the linked article without kerberos its a lost cause (and I’m not there for the home network yet)
SF note on r working with idmap but not w using sec=sys

I scrapped the idea of exporting the whole /home/ directory containing multiple uid profiles and went back to individual profile mounts doing individual UIDs. so that means I’m back to matching uid between the client and server and I want to keep the scope of this issue as small as possible :upside_down_face:

I’m sure it could be tightened up but for anyone else (or for me in 6 months) here is working single uid example that doesn’t make snap/apparmor angry:

testuser4000 is assumed to have been created on both NFS server and client with uid 4000 (just to avoid confusion with default 1000/1001 stuff)

#server /etc/exports
/mnt/profiles/testuser4000 192.168.1.0/24(rw,async,no_root_squash,all_squash,crossmnt,uid=4000)

#client nfs /etc/fstab
192.168.1.131:/mnt/profiles/testuser4000 /mnt/home/testuser4000 nfs4 rw,async,relatime,vers=4.2,rsize=262144,wsize=262144,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.1.15,local_lock=none,addr=192.168.1.131 0 0

#bind mount from mountpoint into home probably unnecessary now that its individual uids
/mnt/home/testuser4000 /home/testuser4000 none bind,uid=4000

also if you modified/added:

/sys/module/nfsd/parameters/nfs4_disable_idmapping (on server)
/sys/module/nfs/parameters/nfs4_disable_idmapping (on client)
/etc/modprobe.d/nfs.conf
/etc/modprobe.d/nsfd.conf

make sure to clean them up or else nfsv4 client maps to nobody/nogroup and snap apparmor profile DENIED comes back

thanks again, this topic can be closed (posted from firefox via testuser4000)

1 Like
10

Since you opened it, would you mind doing this by clicking on the little checkbox in the post you consider the solution ?

11

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.