[SOLVED] Mount via loop device in container

[Jon Clark]

Hi,

I am trying to mount using "mount -o loop" on a container and I am not able to do it.

The container is running Debian 9. My Proxmox version is 5.2-8.

I have done lots of web searching and read many posts about similar attempts (but nothing identical). As a result of have this set up.

I have created an apparmor profile:

root@pve:~# cat /etc/apparmor.d/lxc/lxc-container-default-cgns-with-mounting
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
#
# This profile is a combination of lxc-container-default-cgns and
# lxc-container-default-with-mounting and other options to allow SAMBA and
# iso9660 mounts.

profile lxc-container-default-cgns-with-mounting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# From pofile lxc-container-default-cgns:
  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,

# From pofile lxc-container-default-with-mounting:
  # allow standard blockdevtypes.
  # The concern here is in-kernel superblock parsers bringing down the
  # host with bad data.  However, we continue to disallow proc, sys, securityfs,
  # etc to nonstandard locations.
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=btrfs,

# Allow SAMBA mounts:
  mount fstype=cifs,

# Allow iso9660 mounts:
  mount fstype=iso9660,
}

and have a container configuration file:

root@pve:~# cat /etc/pve/lxc/100.conf
arch: amd64
cores: 30
hostname: circle-wml-container
memory: 28610
net0: name=eth0,bridge=vmbr0,hwaddr=6E:4D:EE:3D:01:A1,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: zfs-containers:subvol-100-disk-1,size=4000G
swap: 4000
lxc.apparmor.profile: lxc-container-default-cgns-with-mounting
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm

When I attempt to mount an ISO image within the container filesystem I get this error:

[jclark@circle-wml-container 16:45:46 ~]$ sudo mount -v -o loop /isos/SL-7.3-x86_64-netinst.iso /home/jclark/misc/mountTest/
mount: /home/jclark/misc/mountTest/: mount failed: Unknown error -1

The container does not have any loop devices avaiable in /dev:

[jclark@circle-wml-container 16:55:10 ~]$ ls -l /dev/loop*
ls: cannot access '/dev/loop*': No such file or directory

I think I might need to bind mount the hypervisor /dev/loop* devices into the container, but I can't work out how to do this.

If anyone can give me some advice or point me to an online guide I would really appreciate the help. If you need more information from me please let me know.

Thanks,
Jon

 

[wbumiller]

To get the loop nodes:

lxc.mount.entry = /dev/loop0 dev/loop0 none bind,create=file 0 0
lxc.mount.entry = /dev/loop1 dev/loop1 none bind,create=file 0 0
(...)
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0

Please note that you should only do this in trusted containers for a whole range of security reasons.
- Loop devices aren't namespaced, and therefore the container can then influence the host and other containers. (Eg. by replcing a loop device binding while the host is loop-mounting other container images between them being setup and finally mounted.)
- A container which can mount arbitrary images can effectively work around the `mknod` restriction otherwise enforced by the `devices` cgroup.
And probably a lot more...

 

[Jon Clark]

Thank you very much for your advice. I am now able to mount a filesystem on the container.

Thank you also for highlighting the security considerations. Fortunately we are using the container and Proxmox VE for development purposes, so only trusted users have access to this container.

For anyone who is interested, my container configuration file is now:

root@pve:~# cat /etc/pve/nodes/pve/lxc/100.conf
arch: amd64
cores: 30
hostname: circle-wml-container
memory: 28610
net0: name=eth0,bridge=vmbr0,hwaddr=6E:4D:EE:3D:01:A1,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: zfs-containers:subvol-100-disk-1,size=4000G
swap: 4000
lxc.apparmor.profile: lxc-container-default-cgns-with-mounting
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm
lxc.mount.entry = /dev/loop0 dev/loop0 none bind,create=file 0 0
lxc.mount.entry = /dev/loop1 dev/loop1 none bind,create=file 0 0
lxc.mount.entry = /dev/loop2 dev/loop2 none bind,create=file 0 0
lxc.mount.entry = /dev/loop3 dev/loop3 none bind,create=file 0 0
lxc.mount.entry = /dev/loop4 dev/loop4 none bind,create=file 0 0
lxc.mount.entry = /dev/loop5 dev/loop5 none bind,create=file 0 0
lxc.mount.entry = /dev/loop6 dev/loop6 none bind,create=file 0 0
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0

and the mount test I performed (after restarting the contaIner) was:

[jclark@circle-wml-container 12:45:37 ~]$ sudo mount -o loop /isos/SL-7.3-x86_64-netinst.iso /home/jclark/misc/mountTest/
mount: /dev/loop0 is write-protected, mounting read-only

[jclark@circle-wml-container 12:45:46 ~]$ mount | grep mountTest
/isos/SL-7.3-x86_64-netinst.iso on /home/jclark/misc/mountTest type iso9660 (ro,relatime,nojoliet,check=s,map=n,blocksize=2048)

 

[macNCheeseB]

Hello,

I don't mean to resurrect an old thread, but as this is the top result in google, it probably make sense to ask an update here. I have Proxmox 6.2-11 and it appears that this syntax no longer works. When I added the above lines to my container to enable the loop device for some iso builds I need to do in my container. When I added those lines to the config, the container would not start. The error was not helpful, just stating that CT could not start.

Was there a change in syntax? Here is what the config was that didn't work. Note that if I just remove the lines after "unprivileged" it worked fine. I did try just removing the "unprivileged: 1" line and the container still didn't work.

arch: amd64
cores: 2
hostname: tcgbuild-vm
memory: 4096
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=5A:62:00:2E:FF:C4,ip=dhcp,type=veth
ostype: centos
rootfs: HDD:subvol-102-disk-0,size=100G
swap: 2048
unprivileged: 1


lxc.apparmor.profile: lxc-container-default-cgns-with-mounting
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm
lxc.mount.entry = /dev/loop0 dev/loop0 none bind,create=file 0 0
lxc.mount.entry = /dev/loop1 dev/loop1 none bind,create=file 0 0
lxc.mount.entry = /dev/loop2 dev/loop2 none bind,create=file 0 0
lxc.mount.entry = /dev/loop3 dev/loop3 none bind,create=file 0 0
lxc.mount.entry = /dev/loop4 dev/loop4 none bind,create=file 0 0
lxc.mount.entry = /dev/loop5 dev/loop5 none bind,create=file 0 0
lxc.mount.entry = /dev/loop6 dev/loop6 none bind,create=file 0 0
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0

 

[albert_a]

Yes, apparently it changed ( cgroup -> cgroup2 ):

lxc.apparmor.profile: lxc-container-default-cgns-with-mounting
lxc.cgroup2.devices.allow = b 7:* rwm
lxc.cgroup2.devices.allow = c 10:237 rwm
lxc.mount.entry = /dev/loop0 dev/loop0 none bind,create=file 0 0
lxc.mount.entry = /dev/loop1 dev/loop1 none bind,create=file 0 0
lxc.mount.entry = /dev/loop2 dev/loop2 none bind,create=file 0 0
lxc.mount.entry = /dev/loop3 dev/loop3 none bind,create=file 0 0
lxc.mount.entry = /dev/loop4 dev/loop4 none bind,create=file 0 0
lxc.mount.entry = /dev/loop5 dev/loop5 none bind,create=file 0 0
lxc.mount.entry = /dev/loop6 dev/loop6 none bind,create=file 0 0
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0

 

[mario76]

had the same issue
with this addition getting error

sudo mount -o loop  my.img /mnt
mount: /mnt: failed to setup loop device for /home/user/my.img.

and i have nested lxc and the container won't start with lxc.apparmor.profile: lxc-container-default-cgns-with-mounting

any one have solution for this issue ?