Hi all, I’m struggling to mount a loop device into a privileged container running on aufs. The steps to reproduce are the following:
1. Build dockerfile (docker build -t write-protected .) FROM ubuntu:14.04 RUN fallocate -l 256M /image RUN mkfs.ext4 -F /image RUN /bin/bash 2. Start container, and attempt to mount the /image loop device root@39d1cc6bc2d0:/# mkdir /data root@39d1cc6bc2d0:/# mount /image /data mount: block device /image is write-protected, mounting read-only What I suspect is happening here (though I have no idea if this is correct) is that the /image file has been created as part of the aufs filesystem, with a file that represents it located in the hosts /var/lib/docker/aufs/diff/<diff>/image. When mount attempts to create a loop device for the /image file, I _think_ it must be creating a device that maps onto the file inside of /var/lib/docker/aufs/diff. When it questions whether the file is readable, the aufs layer responds “no, this is not readable” as it has not yet been copy_up’d into a layer that this container is allowed to write to. If this is the case, then simply touching the /image file should perform the copy_up, and allow mount to work. Indeed, this is the case: root@39d1cc6bc2d0:/# touch /image root@39d1cc6bc2d0:/# mount /image /data root@39d1cc6bc2d0:/# touch /data/hello && echo success success I’ve got two questions that I think this mailing list is probably able to answer: - Is this interpretation of the situation correct? - Can you point me to code that is relevant to understanding why the kernel is told the image is read-only when attempting to mount it? Thanks in advance! Lawrence
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
