[lxc-users] Block devices not permitted on file system
Christian Brauner
christianvanbrauner at gmail.com
Sun Feb 1 14:26:56 UTC 2015
On Sun, Feb 01, 2015 at 12:00:01PM +0000, lxc-users-request at lists.linuxcontainers.org wrote:
> Date: Sun, 1 Feb 2015 07:38:57 +0000
> From: Serge Hallyn <serge.hallyn at ubuntu.com>
> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Subject: Re: [lxc-users] Block devices not permitted on file system
>
> Quoting Christian Brauner (subroutinecall at gmail.com):
> > Hello,
> >
> > booting unprivileged ubuntu trusty and vivid container I get the
> > following messaged when shutting them down:
> >
> > umount: /dev/zero: block devices are not permitted on filesystem
>
> Apparently this is an error emitted by umount.c in util-linux when it
> gets a -EACCES. My guess is that your underlying fs has real blockdevs,
> and the fs is MS_NODEV, and umount is somehow finding that unmounting
> the file mounted over those files would violate MS_NODEV. I say somehow
> bc I don't see the code doing that check.
>
> Though it's also possible that umount is misdiagnosing the EACCES.
> Just to be sure, you could try booting the container without apparmor:
>
> lxc.aa_profile = unconfined
>
> and see if that still does it.
That won't help as I'm on an Archlinux box which does not use Apparmor and I
did not compile it into my kernel. My lxc version is 1.1, cgmanger 0.35, lxcfs
0.5
At least the output of findmnt does not show any "nodev" for /dev/sda2:
[chb at conventiont ~]$ findmnt
TARGET SOURCE FSTYPE OPTIONS
/ /dev/sda2[/@] btrfs rw,relatime,compress-force=lzo,space_cache,autodefrag
├─/proc proc proc rw,nosuid,nodev,noexec,relatime
│ └─/proc/sys/fs/binfmt_misc systemd-1 autofs rw,relatime,fd=28,pgrp=1,timeout=300,minproto=5,maxproto=5,direct
│ └─/proc/sys/fs/binfmt_misc binfmt_misc binfmt_misc rw,relatime
├─/sys sys sysfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup tmpfs tmpfs rw,mode=755
│ │ ├─/sys/fs/cgroup/systemd cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
│ │ ├─/sys/fs/cgroup/cpu,cpuacct cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
│ │ ├─/sys/fs/cgroup/devices cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices
│ │ ├─/sys/fs/cgroup/freezer cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer
│ │ ├─/sys/fs/cgroup/hugetlb cgroup cgroup rw,nosuid,nodev,noexec,relatime,hugetlb,release_agent=/run/cgmanager/agents/cgm-release-agent.hugetlb
│ │ ├─/sys/fs/cgroup/cpuset cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset,clone_children
│ │ ├─/sys/fs/cgroup/blkio cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio
│ │ ├─/sys/fs/cgroup/memory cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory
│ │ ├─/sys/fs/cgroup/debug cgroup cgroup rw,nosuid,nodev,noexec,relatime,debug
│ │ ├─/sys/fs/cgroup/net_cls cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls
│ │ └─/sys/fs/cgroup/perf_event cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event,release_agent=/run/cgmanager/agents/cgm-release-agent.perf_event
│ ├─/sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime
│ ├─/sys/firmware/efi/efivars efivarfs efivarfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/debug debugfs debugfs rw,relatime
│ ├─/sys/fs/fuse/connections fusectl fusectl rw,relatime
│ └─/sys/kernel/config configfs configfs rw,relatime
├─/dev dev devtmpfs rw,nosuid,relatime,size=4035240k,nr_inodes=1008810,mode=755
│ ├─/dev/shm tmpfs tmpfs rw,nosuid,nodev
│ ├─/dev/pts devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
│ ├─/dev/hugepages hugetlbfs hugetlbfs rw,relatime
│ └─/dev/mqueue mqueue mqueue rw,relatime
├─/run run tmpfs rw,nosuid,nodev,relatime,mode=755
│ └─/run/user/1000 tmpfs tmpfs rw,nosuid,nodev,relatime,size=807664k,mode=700,uid=1000,gid=1000
├─/tmp tmpfs tmpfs rw
├─/boot /dev/sda1 vfat rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro
└─/var/lib/docker/btrfs /dev/sda2[/@/var/lib/docker/btrfs]
>
>
> > umount: /dev/urandom: block devices are not permitted on filesystem
> > umount: /dev/tty: block devices are not permitted on filesystem
> > umount: /dev/random: block devices are not permitted on filesystem
> > umount: /dev/null: block devices are not permitted on filesystem
> > umount: /dev/full: block devices are not permitted on filesystem
> > umount: /dev/console: block devices are not permitted on filesystem
> >
> > that goes for basically all device bind-mounts:
> >
> > umount: /dev/fb0: block devices are not permitted on filesystem
> > umount: /dev/video0: block devices are not permitted on filesystem
> > umount: /dev/dri: block devices are not permitted on filesystem
> > umount: /dev/snd: block devices are not permitted on filesystem
> > umount: /dev/zero: block devices are not permitted on filesystem
> > umount: /dev/urandom: block devices are not permitted on filesystem
> > umount: /dev/tty: block devices are not permitted on filesystem
> > umount: /dev/random: block devices are not permitted on filesystem
> > umount: /dev/null: block devices are not permitted on filesystem
> > umount: /dev/full: block devices are not permitted on filesystem
> > umount: /dev/console: block devices are not permitted on filesystem
> >
> > Can someone explain this?
> >
> > Best,
> > Christian
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150201/99416d14/attachment.sig>
More information about the lxc-users
mailing list