[Lxc-users] loop mount inside container

Marc Aymerich glicerinu at gmail.com
Tue Jun 5 22:14:05 UTC 2012


On Tue, Jun 5, 2012 at 9:20 PM, Stéphane Graber <stgraber at ubuntu.com> wrote:
> On 06/05/2012 02:58 PM, Marc Aymerich wrote:
>> Dear all,
>> I'm trying to mount an image file inside a container but it complains
>> about write permissions:
>>
>> (vct: container,
>> bestia: hw node)
>>
>> root at vct:/dev# mount -o loop /root/server_bootable.img /mnt/
>> mount: block device /root/server_bootable.img is write-protected,
>> mounting read-only
>> mount: cannot mount block device /dev/loop1 read-only
>>
>> root at vct:/# ls -al /dev/loop*
>> crw------- 1 root root 10, 237 Jun  4 14:52 /dev/loop-control
>> brw-rw---- 1 root disk  7,   0 Apr 26 17:10 /dev/loop0
>> brw-rw---- 1 root disk  7,   1 Apr 26 17:10 /dev/loop1
>> brw-rw---- 1 root disk  7,   2 Apr 26 17:10 /dev/loop2
>> brw-rw---- 1 root disk  7,   3 Apr 26 17:10 /dev/loop3
>> brw-rw---- 1 root disk  7,   4 Apr 26 17:10 /dev/loop4
>> brw-rw---- 1 root disk  7,   5 Apr 26 17:10 /dev/loop5
>> brw-rw---- 1 root disk  7,   6 Apr 26 17:10 /dev/loop6
>> brw-rw---- 1 root disk  7,   7 Apr 26 17:10 /dev/loop7
>>
>> Write permissions to /dev/loop1 are provided through the container config file
>> lxc.cgroup.devices.allow = b 7:* rwm
>> lxc.cgroup.devices.allow = c 10:237 rwm
>>
>> but in the end, I can't write to it:
>> root at vct:/dev# echo '' > /dev/loop1
>> -bash: echo: write error: Operation not permitted
>>
>> writing to other loop devices seems possible:
>> root at vct:/dev# echo '' > /dev/loop2
>> -bash: echo: write error: No space left on device
>>
>> I'm using ubuntu 10.04 with:
>>
>> root at vct:/# uname -r
>> 3.2.0-23-generic
>>
>> root at bestia:/# lxc-version
>> lxc version: 0.8.0-rc1
>>
>>
>> Any idea about what the problem could be?
>>
>> Thank you very much!!
>
>
> Ubuntu 10.04?? based on your kernel and LXC version this sounds more
> like 12.04, so I'll give you the procedure for 12.04 :)

yeah, it's 12.04 :)

> 1) Copy /etc/apparmor.d/lxc/lxc-default to
> /etc/apparmor.d/lxc/lxc-default-with-loops
> 2) Edit /etc/apparmor.d/lxc/lxc-default-with-loops
>  - Rename lxc-container-default to lxc-container-default-with-loops
>  - Add an entry: "mount -> /mnt/," or matching the source node, fstype,
> ... depending what you exactly want to allow
> 3) sudo /etc/init.d/apparmor reload
> 4) Edit your container's configuration and set lxc.aa_profile to
> lxc-container-default-with-loops
> 5) Restart your container

wow, amazing Stéphane, it worked just like that, top quality your help! :)

> Alternatively, you could set "lxc.aa_profile = unconfined" which would
> turn off apparmor entirely for the container.
>
> It's to be noted that apparmor is what's currently preventing your
> container from doing damage to your host, so it's best practice to have
> the most restrictive profile possible, at least until we have user
> namespaces.
>
> The "mount -> /mnt/" entry I proposed above isn't exactly "safe" as
> it'll allow the user to mount anything under /mnt, including a proc
> filesystem (which you could then use to access stuff like sysrq_trigger
> that are usually blocked by apparmor).
>
> The safest would be something like:
> "mount fstype=ext3 /dev/loop0 -> /mnt/,"
>
> Assuming you can know all of these in advance.
>
> Hope it helps!

indeed it helped me :), thanks for solving the problem and providing
me with additional knowledge which is very handy since I'm just
starting with LXC :)


-- 
Marc




More information about the lxc-users mailing list