Hi,
Found an answer here: https://forum.proxmox.com/threads/lxc-cannot-assign-a-block-device-to-container.23256/
But it turns out that I actually don't need to add the block device as a block device after all. The mountpoint (mpX) config option solved everything for me. That makes my lxc config file like this:
..but before I got this far, I did all this:
I'm posting it here, so that if others really need to use a block device for their setup. This guide should work.
Since the "lxc.aa_profile" has been changed to "lxc.apparmor.profile" in 2.1 (https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487), I had to use that instead.
When adding this to my lxc config file (/etc/pve/lxc/121.conf):
..the container did not boot. I got a blank screen with nothing in it. I therefore added the "lxc.log.level: 1" option to my config file to be able to figure out what's going on in my logfile (/var/log/lxc/121.log).
I saw that my app armor has been loaded:
I also saw repeating:
..but nothing were happening in the container. it was totally blank.
I removed the lxc.apparmor.profile configline to see which apparmor is loaded by default, the result was "lxc-default-with-mounting-cgns". I checked the /etc/apparmor.d/lxc/ directory and found a file called "lxc-default-cgns", with the following content:
The important part here is the "mount fstype=cgroup -> /sys/fs/cgroup/**" config line. I then created a copy of the "lxc-default-with-mounting" config to "lxc-default-with-mounting-cgns" and added the csgroup config like this:
When creating new apparmor files, I had to reload these files. I don't know how to do that and I was to lazy to google, but a reboot did the trick. After that I changed my lxc config by replacing the "lxc.apparmor.profile" like this:
Finally the lxc is starting correctly! After this I can add the block device to the lxc with "lxc-device add -n 121 /dev/sdb" and "lxc-device add -n 121 /dev/sdb1" (sdb1 allready have an ext4 partition). This made it possible to mount the partition within the lxc.
To add the block device when the lxc is starting, I had to do the following; https://forum.proxmox.com/threads/lxc-cannot-assign-a-block-device-to-container.23256/#post-118361
Found an answer here: https://forum.proxmox.com/threads/lxc-cannot-assign-a-block-device-to-container.23256/
But it turns out that I actually don't need to add the block device as a block device after all. The mountpoint (mpX) config option solved everything for me. That makes my lxc config file like this:
Code:
arch: amd64
cores: 8
hostname: pwleak2
memory: 16384
net0: name=eth0,bridge=vmbr0,hwaddr=c2:ba:b7:03:6e:30,ip=dhcp,tag=15,type=veth
ostype: centos
rootfs: local:121/vm-121-disk-1.raw,size=50G
swap: 0
mp0: /dev/sdb1,mp=/mnt/esdb,backup=0..but before I got this far, I did all this:
I'm posting it here, so that if others really need to use a block device for their setup. This guide should work.
Since the "lxc.aa_profile" has been changed to "lxc.apparmor.profile" in 2.1 (https://discuss.linuxcontainers.org/t/lxc-2-1-has-been-released/487), I had to use that instead.
When adding this to my lxc config file (/etc/pve/lxc/121.conf):
Code:
#allow block device passthrough
lxc.apparmor.profile: lxc-container-default-with-mounting
#add /dev/sdb
lxc.cgroup.devices.allow = b 8:16 rwm
#add /dev/sdb1 (with ext4 partition)
lxc.cgroup.devices.allow = b 8:17 rwmI saw that my app armor has been loaded:
Code:
lxc-start 121 20180319140743.877 INFO lxc_apparmor - lsm/apparmor.c:apparmor_process_label_set:238 - changed apparmor profile to lxc-container-default-with-mountingI also saw repeating:
Code:
lxc-start 121 20180319140743.880 DEBUG lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_init_pid"
lxc-start 121 20180319140743.880 DEBUG lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_init_pid"
lxc-start 121 20180319140743.880 DEBUG lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
lxc-start 121 20180319140743.880 DEBUG lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
lxc-start 121 20180319140743.880 DEBUG lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_state"
lxc-start 121 20180319140743.880 DEBUG lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_state"
lxc-start 121 20180319140743.880 DEBUG lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
lxc-start 121 20180319140743.880 DEBUG lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_cgroup"
lxc-start 121 20180319140743.880 DEBUG lxc_commands - commands.c:lxc_cmd_handler:1037 - Peer has disconnected for "get_state"I removed the lxc.apparmor.profile configline to see which apparmor is loaded by default, the result was "lxc-default-with-mounting-cgns". I checked the /etc/apparmor.d/lxc/ directory and found a file called "lxc-default-cgns", with the following content:
Code:
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-container-default-cgns flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# the container may never be allowed to mount devpts. If it does, it
# will remount the host's devpts. We could allow it to do it with
# the newinstance option (but, right now, we don't).
deny mount fstype=devpts,
mount fstype=cgroup -> /sys/fs/cgroup/**,
}The important part here is the "mount fstype=cgroup -> /sys/fs/cgroup/**" config line. I then created a copy of the "lxc-default-with-mounting" config to "lxc-default-with-mounting-cgns" and added the csgroup config like this:
Code:
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-default-with-mounting-cgns flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data. However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=ext*,
mount fstype=xfs,
mount fstype=btrfs,
}When creating new apparmor files, I had to reload these files. I don't know how to do that and I was to lazy to google, but a reboot did the trick. After that I changed my lxc config by replacing the "lxc.apparmor.profile" like this:
Code:
#allow block device passthrough
lxc.apparmor.profile: lxc-default-with-mounting-cgns
#add /dev/sdb
lxc.cgroup.devices.allow = b 8:16 rwm
#add /dev/sdb1 (with ext4 partition)
lxc.cgroup.devices.allow = b 8:17 rwmFinally the lxc is starting correctly! After this I can add the block device to the lxc with "lxc-device add -n 121 /dev/sdb" and "lxc-device add -n 121 /dev/sdb1" (sdb1 allready have an ext4 partition). This made it possible to mount the partition within the lxc.
To add the block device when the lxc is starting, I had to do the following; https://forum.proxmox.com/threads/lxc-cannot-assign-a-block-device-to-container.23256/#post-118361
Hi ldar
I followed you simplified procedure using MPx to try to mount a HD in a Ubuntu LXC however the MP0 line in the config file prevents the container starting.
i did note that you assign directly in mp0: /dev/sdb1,mp=/mnt/test,backup=0
where in my PVE disk table only /dev/sdb can be seen
are the abstractions still required
mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=ext*,
mount fstype=xfs,
mount fstype=btrfs,
and ...
#allow block device passthrough
lxc.apparmor.profile: lxc-default-with-mounting-cgns
#add /dev/sdb
lxc.cgroup.devices.allow = b 8:16 rwm
#add /dev/sdb1 (with ext4 partition)
lxc.cgroup.devices.allow = b 8:17 rwm
finnboat
Last edited:
curious, what is the solution and steps for the current version of PVE & LXC ?!
any guidance is greatly appreciated
any guidance is greatly appreciated
I just did this and it worked just fine:
https://forum.proxmox.com/threads/accessing-a-host-partition-from-inside-a-container.54560/
I had the partition already created so all I did was mount it on the node and then add the info to fstab and the lxc container conf file.
https://forum.proxmox.com/threads/accessing-a-host-partition-from-inside-a-container.54560/
I had the partition already created so all I did was mount it on the node and then add the info to fstab and the lxc container conf file.