On Tue, Jun 5, 2012 at 9:20 PM, Stéphane Graber <stgra...@ubuntu.com> wrote: > On 06/05/2012 02:58 PM, Marc Aymerich wrote: >> Dear all, >> I'm trying to mount an image file inside a container but it complains >> about write permissions: >> >> (vct: container, >> bestia: hw node) >> >> root@vct:/dev# mount -o loop /root/server_bootable.img /mnt/ >> mount: block device /root/server_bootable.img is write-protected, >> mounting read-only >> mount: cannot mount block device /dev/loop1 read-only >> >> root@vct:/# ls -al /dev/loop* >> crw------- 1 root root 10, 237 Jun 4 14:52 /dev/loop-control >> brw-rw---- 1 root disk 7, 0 Apr 26 17:10 /dev/loop0 >> brw-rw---- 1 root disk 7, 1 Apr 26 17:10 /dev/loop1 >> brw-rw---- 1 root disk 7, 2 Apr 26 17:10 /dev/loop2 >> brw-rw---- 1 root disk 7, 3 Apr 26 17:10 /dev/loop3 >> brw-rw---- 1 root disk 7, 4 Apr 26 17:10 /dev/loop4 >> brw-rw---- 1 root disk 7, 5 Apr 26 17:10 /dev/loop5 >> brw-rw---- 1 root disk 7, 6 Apr 26 17:10 /dev/loop6 >> brw-rw---- 1 root disk 7, 7 Apr 26 17:10 /dev/loop7 >> >> Write permissions to /dev/loop1 are provided through the container config >> file >> lxc.cgroup.devices.allow = b 7:* rwm >> lxc.cgroup.devices.allow = c 10:237 rwm >> >> but in the end, I can't write to it: >> root@vct:/dev# echo '' > /dev/loop1 >> -bash: echo: write error: Operation not permitted >> >> writing to other loop devices seems possible: >> root@vct:/dev# echo '' > /dev/loop2 >> -bash: echo: write error: No space left on device >> >> I'm using ubuntu 10.04 with: >> >> root@vct:/# uname -r >> 3.2.0-23-generic >> >> root@bestia:/# lxc-version >> lxc version: 0.8.0-rc1 >> >> >> Any idea about what the problem could be? >> >> Thank you very much!! > > > Ubuntu 10.04?? based on your kernel and LXC version this sounds more > like 12.04, so I'll give you the procedure for 12.04 :)
yeah, it's 12.04 :) > 1) Copy /etc/apparmor.d/lxc/lxc-default to > /etc/apparmor.d/lxc/lxc-default-with-loops > 2) Edit /etc/apparmor.d/lxc/lxc-default-with-loops > - Rename lxc-container-default to lxc-container-default-with-loops > - Add an entry: "mount -> /mnt/," or matching the source node, fstype, > ... depending what you exactly want to allow > 3) sudo /etc/init.d/apparmor reload > 4) Edit your container's configuration and set lxc.aa_profile to > lxc-container-default-with-loops > 5) Restart your container wow, amazing Stéphane, it worked just like that, top quality your help! :) > Alternatively, you could set "lxc.aa_profile = unconfined" which would > turn off apparmor entirely for the container. > > It's to be noted that apparmor is what's currently preventing your > container from doing damage to your host, so it's best practice to have > the most restrictive profile possible, at least until we have user > namespaces. > > The "mount -> /mnt/" entry I proposed above isn't exactly "safe" as > it'll allow the user to mount anything under /mnt, including a proc > filesystem (which you could then use to access stuff like sysrq_trigger > that are usually blocked by apparmor). > > The safest would be something like: > "mount fstype=ext3 /dev/loop0 -> /mnt/," > > Assuming you can know all of these in advance. > > Hope it helps! indeed it helped me :), thanks for solving the problem and providing me with additional knowledge which is very handy since I'm just starting with LXC :) -- Marc ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users
