[lxc-users] Block devices not permitted on file system

[Serge Hallyn]

Quoting Christian Brauner (subroutinecall at gmail.com):
> Hello,
> 
> booting unprivileged ubuntu trusty and vivid container I get the
> following messaged when shutting them down:
> 
>     umount: /dev/zero: block devices are not permitted on filesystem
>     umount: /dev/urandom: block devices are not permitted on filesystem
>     umount: /dev/tty: block devices are not permitted on filesystem
>     umount: /dev/random: block devices are not permitted on filesystem
>     umount: /dev/null: block devices are not permitted on filesystem
>     umount: /dev/full: block devices are not permitted on filesystem
>     umount: /dev/console: block devices are not permitted on filesystem
> 
> that goes for basically all device bind-mounts:
> 
>     umount: /dev/fb0: block devices are not permitted on filesystem
>     umount: /dev/video0: block devices are not permitted on filesystem
>     umount: /dev/dri: block devices are not permitted on filesystem
>     umount: /dev/snd: block devices are not permitted on filesystem
>     umount: /dev/zero: block devices are not permitted on filesystem
>     umount: /dev/urandom: block devices are not permitted on filesystem
>     umount: /dev/tty: block devices are not permitted on filesystem
>     umount: /dev/random: block devices are not permitted on filesystem
>     umount: /dev/null: block devices are not permitted on filesystem
>     umount: /dev/full: block devices are not permitted on filesystem
>     umount: /dev/console: block devices are not permitted on filesystem
> 
> Can someone explain this?

Ah - this is happening because the shutdown process is trying to do a
force umount.  We don't allow those (using seccom) because if the fs is
a bind mount from a fuse or nfs, it'll disconnect the original mount.

You can test this yourself by logging in and doing

umount -f /dev/urandom

versus

umount /dev/urandom

-serge