[Lxc-users] loop mount inside container

Stéphane Graber stgraber at ubuntu.com
Tue Jun 5 19:20:42 UTC 2012


On 06/05/2012 02:58 PM, Marc Aymerich wrote:
> Dear all,
> I'm trying to mount an image file inside a container but it complains
> about write permissions:
> 
> (vct: container,
> bestia: hw node)
> 
> root at vct:/dev# mount -o loop /root/server_bootable.img /mnt/
> mount: block device /root/server_bootable.img is write-protected,
> mounting read-only
> mount: cannot mount block device /dev/loop1 read-only
> 
> root at vct:/# ls -al /dev/loop*
> crw------- 1 root root 10, 237 Jun  4 14:52 /dev/loop-control
> brw-rw---- 1 root disk  7,   0 Apr 26 17:10 /dev/loop0
> brw-rw---- 1 root disk  7,   1 Apr 26 17:10 /dev/loop1
> brw-rw---- 1 root disk  7,   2 Apr 26 17:10 /dev/loop2
> brw-rw---- 1 root disk  7,   3 Apr 26 17:10 /dev/loop3
> brw-rw---- 1 root disk  7,   4 Apr 26 17:10 /dev/loop4
> brw-rw---- 1 root disk  7,   5 Apr 26 17:10 /dev/loop5
> brw-rw---- 1 root disk  7,   6 Apr 26 17:10 /dev/loop6
> brw-rw---- 1 root disk  7,   7 Apr 26 17:10 /dev/loop7
> 
> Write permissions to /dev/loop1 are provided through the container config file
> lxc.cgroup.devices.allow = b 7:* rwm
> lxc.cgroup.devices.allow = c 10:237 rwm
> 
> but in the end, I can't write to it:
> root at vct:/dev# echo '' > /dev/loop1
> -bash: echo: write error: Operation not permitted
> 
> writing to other loop devices seems possible:
> root at vct:/dev# echo '' > /dev/loop2
> -bash: echo: write error: No space left on device
> 
> I'm using ubuntu 10.04 with:
> 
> root at vct:/# uname -r
> 3.2.0-23-generic
> 
> root at bestia:/# lxc-version
> lxc version: 0.8.0-rc1
> 
> 
> Any idea about what the problem could be?
> 
> Thank you very much!!


Ubuntu 10.04?? based on your kernel and LXC version this sounds more
like 12.04, so I'll give you the procedure for 12.04 :)

1) Copy /etc/apparmor.d/lxc/lxc-default to
/etc/apparmor.d/lxc/lxc-default-with-loops
2) Edit /etc/apparmor.d/lxc/lxc-default-with-loops
  - Rename lxc-container-default to lxc-container-default-with-loops
  - Add an entry: "mount -> /mnt/," or matching the source node, fstype,
... depending what you exactly want to allow
3) sudo /etc/init.d/apparmor reload
4) Edit your container's configuration and set lxc.aa_profile to
lxc-container-default-with-loops
5) Restart your container


Alternatively, you could set "lxc.aa_profile = unconfined" which would
turn off apparmor entirely for the container.

It's to be noted that apparmor is what's currently preventing your
container from doing damage to your host, so it's best practice to have
the most restrictive profile possible, at least until we have user
namespaces.

The "mount -> /mnt/" entry I proposed above isn't exactly "safe" as
it'll allow the user to mount anything under /mnt, including a proc
filesystem (which you could then use to access stuff like sysrq_trigger
that are usually blocked by apparmor).

The safest would be something like:
"mount fstype=ext3 /dev/loop0 -> /mnt/,"

Assuming you can know all of these in advance.

Hope it helps!

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20120605/42980b6d/attachment.pgp>


More information about the lxc-users mailing list