Fixing: Vagrant LXC error, mount.nfs: mount to NFS server 10.0.3.1:/path failed: timed out, giving up

Vagrant-LXC is a plugin that provides integration of Vagrant with LXC containers, a modern virtualisation technology native to Linux. To share files between the host and the container, NFS can be used. The Vagrant NFS plugin ensures that a NFS server runs at the host that exports predefined locations of the host’s filesystem. Sometimes, an error pops up when starting a Vagrant box, indicating that a timeout occurred and that starting the box failed.

A typical error is as follows:

mount.nfs: mount to NFS server ‘10.0.3.1:/path’ failed: timed out, giving up

Which means that the connection is blocked, often due to the firewall. Another error might be something like:

mount.nfs: access denied by server while mounting 10.0.3.1:/path

This practically means that the container is not allowed to reach the NFS server of the host, often due to AppArmor policy. I experienced this issue some time ago and discussed it in an issue at Github.

The problem can be caused by a combination of AppArmor policy (when working with Ubuntu) and the firewall.

Firewall

Blocked connections can often be fixed by configuring the firewall. The easiest way to fix this is to allow connections from the IP address of the container to the host. When using Uncomplicated FireWall (UFW), allow container connections by executing the following on the host in which 10.0.3.123 should be replaced by the IP address of the container.

sudo ufw allow from 10.0.3.123

Find the IP of the container as follows:

sudo lxc-ls

Determine which container is of interest. Copy the name.

sudo lxc-info -n some_container_1500900200100_75210 -iH

AppArmor

An ‘access denied’ error can be caused by AppArmor policy. AppArmor is an access control system implemented as a kernel enhancement in Ubuntu. Some LXC boxes don’t play well with AppArmor. We need to tell AppArmor that we do trust these containers. Add the following to your Vagrantfile to enable the aa_allow_incomplete option.

LXC_VERSION = `lxc-ls --version`.strip unless defined? LXC_VERSION
if LXC_VERSION >= "1.1.0"
  # Allow start without AppArmor, otherwise Box will not Start on Ubuntu 14.10
  # see https://github.com/fgrehm/vagrant-lxc/issues/333
  lxc.customize 'aa_allow_incomplete', 1
end