[SOLVED] Mount via loop device in container

Jon Clark · Sep 24, 2018

Hi,

I am trying to mount using "mount -o loop" on a container and I am not able to do it.

The container is running Debian 9. My Proxmox version is 5.2-8.

I have done lots of web searching and read many posts about similar attempts (but nothing identical). As a result of have this set up.

I have created an apparmor profile:

Code:

root@pve:~# cat /etc/apparmor.d/lxc/lxc-container-default-cgns-with-mounting
# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
#
# This profile is a combination of lxc-container-default-cgns and
# lxc-container-default-with-mounting and other options to allow SAMBA and
# iso9660 mounts.

profile lxc-container-default-cgns-with-mounting flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>

# From pofile lxc-container-default-cgns:
  # the container may never be allowed to mount devpts.  If it does, it
  # will remount the host's devpts.  We could allow it to do it with
  # the newinstance option (but, right now, we don't).
  deny mount fstype=devpts,
  mount fstype=cgroup -> /sys/fs/cgroup/**,
  mount fstype=cgroup2 -> /sys/fs/cgroup/**,

# From pofile lxc-container-default-with-mounting:
  # allow standard blockdevtypes.
  # The concern here is in-kernel superblock parsers bringing down the
  # host with bad data.  However, we continue to disallow proc, sys, securityfs,
  # etc to nonstandard locations.
  mount fstype=ext*,
  mount fstype=xfs,
  mount fstype=btrfs,

# Allow SAMBA mounts:
  mount fstype=cifs,

# Allow iso9660 mounts:
  mount fstype=iso9660,
}

and have a container configuration file:

Code:

root@pve:~# cat /etc/pve/lxc/100.conf
arch: amd64
cores: 30
hostname: circle-wml-container
memory: 28610
net0: name=eth0,bridge=vmbr0,hwaddr=6E:4D:EE:3D:01:A1,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: zfs-containers:subvol-100-disk-1,size=4000G
swap: 4000
lxc.apparmor.profile: lxc-container-default-cgns-with-mounting
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm

When I attempt to mount an ISO image within the container filesystem I get this error:

Code:

[jclark@circle-wml-container 16:45:46 ~]$ sudo mount -v -o loop /isos/SL-7.3-x86_64-netinst.iso /home/jclark/misc/mountTest/
mount: /home/jclark/misc/mountTest/: mount failed: Unknown error -1

The container does not have any loop devices avaiable in /dev:

Code:

[jclark@circle-wml-container 16:55:10 ~]$ ls -l /dev/loop*
ls: cannot access '/dev/loop*': No such file or directory

I think I might need to bind mount the hypervisor /dev/loop* devices into the container, but I can't work out how to do this.

If anyone can give me some advice or point me to an online guide I would really appreciate the help. If you need more information from me please let me know.

Thanks,
Jon

wbumiller · Sep 25, 2018

To get the loop nodes:

Code:

lxc.mount.entry = /dev/loop0 dev/loop0 none bind,create=file 0 0
lxc.mount.entry = /dev/loop1 dev/loop1 none bind,create=file 0 0
(...)
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0

Please note that you should only do this in trusted containers for a whole range of security reasons.
- Loop devices aren't namespaced, and therefore the container can then influence the host and other containers. (Eg. by replcing a loop device binding while the host is loop-mounting other container images between them being setup and finally mounted.)
- A container which can mount arbitrary images can effectively work around the `mknod` restriction otherwise enforced by the `devices` cgroup.
And probably a lot more...

Jon Clark · Sep 25, 2018

Thank you very much for your advice. I am now able to mount a filesystem on the container.

Thank you also for highlighting the security considerations. Fortunately we are using the container and Proxmox VE for development purposes, so only trusted users have access to this container.

For anyone who is interested, my container configuration file is now:

Code:

root@pve:~# cat /etc/pve/nodes/pve/lxc/100.conf
arch: amd64
cores: 30
hostname: circle-wml-container
memory: 28610
net0: name=eth0,bridge=vmbr0,hwaddr=6E:4D:EE:3D:01:A1,ip=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: zfs-containers:subvol-100-disk-1,size=4000G
swap: 4000
lxc.apparmor.profile: lxc-container-default-cgns-with-mounting
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm
lxc.mount.entry = /dev/loop0 dev/loop0 none bind,create=file 0 0
lxc.mount.entry = /dev/loop1 dev/loop1 none bind,create=file 0 0
lxc.mount.entry = /dev/loop2 dev/loop2 none bind,create=file 0 0
lxc.mount.entry = /dev/loop3 dev/loop3 none bind,create=file 0 0
lxc.mount.entry = /dev/loop4 dev/loop4 none bind,create=file 0 0
lxc.mount.entry = /dev/loop5 dev/loop5 none bind,create=file 0 0
lxc.mount.entry = /dev/loop6 dev/loop6 none bind,create=file 0 0
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0

and the mount test I performed (after restarting the contaIner) was:

Code:

[jclark@circle-wml-container 12:45:37 ~]$ sudo mount -o loop /isos/SL-7.3-x86_64-netinst.iso /home/jclark/misc/mountTest/
mount: /dev/loop0 is write-protected, mounting read-only

[jclark@circle-wml-container 12:45:46 ~]$ mount | grep mountTest
/isos/SL-7.3-x86_64-netinst.iso on /home/jclark/misc/mountTest type iso9660 (ro,relatime,nojoliet,check=s,map=n,blocksize=2048)

macNCheeseB · Oct 21, 2020

Hello,

I don't mean to resurrect an old thread, but as this is the top result in google, it probably make sense to ask an update here. I have Proxmox 6.2-11 and it appears that this syntax no longer works. When I added the above lines to my container to enable the loop device for some iso builds I need to do in my container. When I added those lines to the config, the container would not start. The error was not helpful, just stating that CT could not start.

Was there a change in syntax? Here is what the config was that didn't work. Note that if I just remove the lines after "unprivileged" it worked fine. I did try just removing the "unprivileged: 1" line and the container still didn't work.

Code:

arch: amd64
cores: 2
hostname: tcgbuild-vm
memory: 4096
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=5A:62:00:2E:FF:C4,ip=dhcp,type=veth
ostype: centos
rootfs: HDD:subvol-102-disk-0,size=100G
swap: 2048
unprivileged: 1


lxc.apparmor.profile: lxc-container-default-cgns-with-mounting
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm
lxc.mount.entry = /dev/loop0 dev/loop0 none bind,create=file 0 0
lxc.mount.entry = /dev/loop1 dev/loop1 none bind,create=file 0 0
lxc.mount.entry = /dev/loop2 dev/loop2 none bind,create=file 0 0
lxc.mount.entry = /dev/loop3 dev/loop3 none bind,create=file 0 0
lxc.mount.entry = /dev/loop4 dev/loop4 none bind,create=file 0 0
lxc.mount.entry = /dev/loop5 dev/loop5 none bind,create=file 0 0
lxc.mount.entry = /dev/loop6 dev/loop6 none bind,create=file 0 0
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0

albert_a · Mar 19, 2023

Yes, apparently it changed ( cgroup -> cgroup2 ):

Code:

lxc.apparmor.profile: lxc-container-default-cgns-with-mounting
lxc.cgroup2.devices.allow = b 7:* rwm
lxc.cgroup2.devices.allow = c 10:237 rwm
lxc.mount.entry = /dev/loop0 dev/loop0 none bind,create=file 0 0
lxc.mount.entry = /dev/loop1 dev/loop1 none bind,create=file 0 0
lxc.mount.entry = /dev/loop2 dev/loop2 none bind,create=file 0 0
lxc.mount.entry = /dev/loop3 dev/loop3 none bind,create=file 0 0
lxc.mount.entry = /dev/loop4 dev/loop4 none bind,create=file 0 0
lxc.mount.entry = /dev/loop5 dev/loop5 none bind,create=file 0 0
lxc.mount.entry = /dev/loop6 dev/loop6 none bind,create=file 0 0
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0

mario76 · Apr 26, 2023

had the same issue
with this addition getting error

Code:

sudo mount -o loop  my.img /mnt
mount: /mnt: failed to setup loop device for /home/user/my.img.

and i have nested lxc and the container won't start with lxc.apparmor.profile: lxc-container-default-cgns-with-mounting

any one have solution for this issue ?

Xandersoft · Sep 19, 2024

Hello,

mario76 said:
had the same issue
with this addition getting error

Code:

sudo mount -o loop my.img /mnt mount: /mnt: failed to setup loop device for /home/user/my.img.

and i have nested lxc and the container won't start with lxc.apparmor.profile: lxc-container-default-cgns-with-mounting

any one have solution for this issue ?

Hello, i've to enabled in /etc/pve/nodes/<PROXMOX-HOST>/lxc/<lxc-ID>.conf additional to option "fuse=1,mount=nfs,nesting=1" from gui

- first cgroup is an "angst iron", but should not needed because of using cgroup2 on proxmox per default, i think.
- no appamor.profile an no pre mount settings with `lxc.mount.entry = /dev/loop4 dev/loop4` or so, but if you need it from host (must be there avaiable, I guess) you should add it.
- nfs mount (mentioned for the sake of completeness)

Code:

lxc.cgroup.devices.allow: b 7:* rwm
lxc.cgroup2.devices.allow: b 7:* rwm

and in container run:

mknod -m 0660 /dev/loop0 b 7 8

so i can mount for example the mount a linux-image to build

Code:

TMPIMG=$(mktemp --tmpdir=/var/tmp live-image.XXXXXXXXXX);
TMPMNT=$(mktemp -d --tmpdir=/var/tmp live-root.XXXXXXXXXX);

fallocate -v -l 4GiB "${TMPIMG}";
mke2fs -t ext4 -E lazy_itable_init=0 -O ^has_journal -i 16384 -L live-build -F "${TMPIMG}";
tune2fs -r0 -c0 -i12m -o '^acl,nobarrier' -e remount-ro -f "${TMPIMG}";
mount -o loop "${TMPIMG}" "${TMPMNT}";

Search

Search

[SOLVED] Mount via loop device in container

Jon Clark

New Member

wbumiller

Proxmox Staff Member

Jon Clark

New Member

macNCheeseB

New Member

albert_a

Well-Known Member

mario76

New Member

Xandersoft

New Member