container with physical disk

[Idar Lund]

Hi,

I've got a spare physical disk (/dev/sdb) that I want to add to a container. How to do that?

-Idar

 

[Idar Lund]

Hi,

Found an answer here: https://forum.proxmox.com/threads/lxc-cannot-assign-a-block-device-to-container.23256/

But it turns out that I actually don't need to add the block device as a block device after all. The mountpoint (mpX) config option solved everything for me. That makes my lxc config file like this:

arch: amd64
cores: 8
hostname: pwleak2
memory: 16384
net0: name=eth0,bridge=vmbr0,hwaddr=c2:ba:b7:03:6e:30,ip=dhcp,tag=15,type=veth
ostype: centos
rootfs: local:121/vm-121-disk-1.raw,size=50G
swap: 0
mp0: /dev/sdb1,mp=/mnt/esdb,backup=0

..but before I got this far, I did all this:
I'm posting it here, so that if others really need to use a block device for their setup. This guide should work.

Since the "lxc.aa_profile" has been changed to "lxc.apparmor.profile" in 2.1 (https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487), I had to use that instead.

When adding this to my lxc config file (/etc/pve/lxc/121.conf):

#allow block device passthrough
lxc.apparmor.profile: lxc-container-default-with-mounting
#add /dev/sdb
lxc.cgroup.devices.allow = b 8:16 rwm
#add /dev/sdb1 (with ext4 partition)
lxc.cgroup.devices.allow = b 8:17 rwm

..the container did not boot. I got a blank screen with nothing in it. I therefore added the "lxc.log.level: 1" option to my config file to be able to figure out what's going on in my logfile (/var/log/lxc/121.log).

I saw that my app armor has been loaded:

lxc-start 121 20180319140743.877 INFO     lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:238 - changed apparmor profile to lxc-container-default-with-mounting

I also saw repeating:

      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_init_pid"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_init_pid"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_state"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_state"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_state"

..but nothing were happening in the container. it was totally blank.

I removed the lxc.apparmor.profile configline to see which apparmor is loaded by default, the result was "lxc-default-with-mounting-cgns". I checked the /etc/apparmor.d/lxc/ directory and found a file called "lxc-default-cgns", with the following content:

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}

The important part here is the "mount fstype=cgroup -> /sys/fs/cgroup/**" config line. I then created a copy of the "lxc-default-with-mounting" config to "lxc-default-with-mounting-cgns" and added the csgroup config like this:

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-default-with-mounting-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data.  However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=btrfs,
}

When creating new apparmor files, I had to reload these files. I don't know how to do that and I was to lazy to google, but a reboot did the trick. After that I changed my lxc config by replacing the "lxc.apparmor.profile" like this:

#allow block device passthrough
lxc.apparmor.profile: lxc-default-with-mounting-cgns
#add /dev/sdb
lxc.cgroup.devices.allow = b 8:16 rwm
#add /dev/sdb1 (with ext4 partition)
lxc.cgroup.devices.allow = b 8:17 rwm

Finally the lxc is starting correctly! After this I can add the block device to the lxc with "lxc-device add -n 121 /dev/sdb" and "lxc-device add -n 121 /dev/sdb1" (sdb1 allready have an ext4 partition). This made it possible to mount the partition within the lxc.

To add the block device when the lxc is starting, I had to do the following; https://forum.proxmox.com/threads/lxc-cannot-assign-a-block-device-to-container.23256/#post-118361

 

[Finnboat]

Hi,

I've got a spare physical disk (/dev/sdb) that I want to add to a container. How to do that?

-Idar

Hi ldar
I followed you simplified procedure using MPx to try to mount a HD in a Ubuntu LXC however the MP0 line in the config file prevents the container starting.

i did note that you assign directly in mp0: /dev/sdb1,mp=/mnt/test,backup=0
where in my PVE disk table only /dev/sdb can be seen

are the abstractions still required
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=ext*,
mount fstype=xfs,
mount fstype=btrfs,
and ...
#allow block device passthrough
lxc.apparmor.profile: lxc-default-with-mounting-cgns
#add /dev/sdb
lxc.cgroup.devices.allow = b 8:16 rwm
#add /dev/sdb1 (with ext4 partition)
lxc.cgroup.devices.allow = b 8:17 rwm

finnboat

 

[skating6616]

Hi,

Found an answer here: https://forum.proxmox.com/threads/lxc-cannot-assign-a-block-device-to-container.23256/

But it turns out that I actually don't need to add the block device as a block device after all. The mountpoint (mpX) config option solved everything for me. That makes my lxc config file like this:

arch: amd64
cores: 8
hostname: pwleak2
memory: 16384
net0: name=eth0,bridge=vmbr0,hwaddr=c2:ba:b7:03:6e:30,ip=dhcp,tag=15,type=veth
ostype: centos
rootfs: local:121/vm-121-disk-1.raw,size=50G
swap: 0
mp0: /dev/sdb1,mp=/mnt/esdb,backup=0

..but before I got this far, I did all this:
I'm posting it here, so that if others really need to use a block device for their setup. This guide should work.

Since the "lxc.aa_profile" has been changed to "lxc.apparmor.profile" in 2.1 (https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487), I had to use that instead.

When adding this to my lxc config file (/etc/pve/lxc/121.conf):

#allow block device passthrough
lxc.apparmor.profile: lxc-container-default-with-mounting
#add /dev/sdb
lxc.cgroup.devices.allow = b 8:16 rwm
#add /dev/sdb1 (with ext4 partition)
lxc.cgroup.devices.allow = b 8:17 rwm

..the container did not boot. I got a blank screen with nothing in it. I therefore added the "lxc.log.level: 1" option to my config file to be able to figure out what's going on in my logfile (/var/log/lxc/121.log).

I saw that my app armor has been loaded:

lxc-start 121 20180319140743.877 INFO     lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:238 - changed apparmor profile to lxc-container-default-with-mounting

I also saw repeating:

      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_init_pid"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_init_pid"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_state"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_state"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
      lxc-start 121 20180319140743.880 DEBUG    lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_state"

..but nothing were happening in the container. it was totally blank.

I removed the lxc.apparmor.profile configline to see which apparmor is loaded by default, the result was "lxc-default-with-mounting-cgns". I checked the /etc/apparmor.d/lxc/ directory and found a file called "lxc-default-cgns", with the following content:

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
}

The important part here is the "mount fstype=cgroup -> /sys/fs/cgroup/**" config line. I then created a copy of the "lxc-default-with-mounting" config to "lxc-default-with-mounting-cgns" and added the csgroup config like this:

# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc

profile lxc-default-with-mounting-cgns flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data.  However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=btrfs,
}

When creating new apparmor files, I had to reload these files. I don't know how to do that and I was to lazy to google, but a reboot did the trick. After that I changed my lxc config by replacing the "lxc.apparmor.profile" like this:

#allow block device passthrough
lxc.apparmor.profile: lxc-default-with-mounting-cgns
#add /dev/sdb
lxc.cgroup.devices.allow = b 8:16 rwm
#add /dev/sdb1 (with ext4 partition)
lxc.cgroup.devices.allow = b 8:17 rwm

Finally the lxc is starting correctly! After this I can add the block device to the lxc with "lxc-device add -n 121 /dev/sdb" and "lxc-device add -n 121 /dev/sdb1" (sdb1 allready have an ext4 partition). This made it possible to mount the partition within the lxc.

To add the block device when the lxc is starting, I had to do the following; https://forum.proxmox.com/threads/lxc-cannot-assign-a-block-device-to-container.23256/#post-118361

Thank you!!!

 

[pkr]

curious, what is the solution and steps for the current version of PVE & LXC ?!

any guidance is greatly appreciated

 

[ecotechie]

I just did this and it worked just fine:
https://forum.proxmox.com/threads/accessing-a-host-partition-from-inside-a-container.54560/

I had the partition already created so all I did was mount it on the node and then add the info to fstab and the lxc container conf file.