On 06/05/2012 02:58 PM, Marc Aymerich wrote: > Dear all, > I'm trying to mount an image file inside a container but it complains > about write permissions: > > (vct: container, > bestia: hw node) > > root@vct:/dev# mount -o loop /root/server_bootable.img /mnt/ > mount: block device /root/server_bootable.img is write-protected, > mounting read-only > mount: cannot mount block device /dev/loop1 read-only > > root@vct:/# ls -al /dev/loop* > crw------- 1 root root 10, 237 Jun 4 14:52 /dev/loop-control > brw-rw---- 1 root disk 7, 0 Apr 26 17:10 /dev/loop0 > brw-rw---- 1 root disk 7, 1 Apr 26 17:10 /dev/loop1 > brw-rw---- 1 root disk 7, 2 Apr 26 17:10 /dev/loop2 > brw-rw---- 1 root disk 7, 3 Apr 26 17:10 /dev/loop3 > brw-rw---- 1 root disk 7, 4 Apr 26 17:10 /dev/loop4 > brw-rw---- 1 root disk 7, 5 Apr 26 17:10 /dev/loop5 > brw-rw---- 1 root disk 7, 6 Apr 26 17:10 /dev/loop6 > brw-rw---- 1 root disk 7, 7 Apr 26 17:10 /dev/loop7 > > Write permissions to /dev/loop1 are provided through the container config file > lxc.cgroup.devices.allow = b 7:* rwm > lxc.cgroup.devices.allow = c 10:237 rwm > > but in the end, I can't write to it: > root@vct:/dev# echo '' > /dev/loop1 > -bash: echo: write error: Operation not permitted > > writing to other loop devices seems possible: > root@vct:/dev# echo '' > /dev/loop2 > -bash: echo: write error: No space left on device > > I'm using ubuntu 10.04 with: > > root@vct:/# uname -r > 3.2.0-23-generic > > root@bestia:/# lxc-version > lxc version: 0.8.0-rc1 > > > Any idea about what the problem could be? > > Thank you very much!!
Ubuntu 10.04?? based on your kernel and LXC version this sounds more like 12.04, so I'll give you the procedure for 12.04 :) 1) Copy /etc/apparmor.d/lxc/lxc-default to /etc/apparmor.d/lxc/lxc-default-with-loops 2) Edit /etc/apparmor.d/lxc/lxc-default-with-loops - Rename lxc-container-default to lxc-container-default-with-loops - Add an entry: "mount -> /mnt/," or matching the source node, fstype, ... depending what you exactly want to allow 3) sudo /etc/init.d/apparmor reload 4) Edit your container's configuration and set lxc.aa_profile to lxc-container-default-with-loops 5) Restart your container Alternatively, you could set "lxc.aa_profile = unconfined" which would turn off apparmor entirely for the container. It's to be noted that apparmor is what's currently preventing your container from doing damage to your host, so it's best practice to have the most restrictive profile possible, at least until we have user namespaces. The "mount -> /mnt/" entry I proposed above isn't exactly "safe" as it'll allow the user to mount anything under /mnt, including a proc filesystem (which you could then use to access stuff like sysrq_trigger that are usually blocked by apparmor). The safest would be something like: "mount fstype=ext3 /dev/loop0 -> /mnt/," Assuming you can know all of these in advance. Hope it helps! -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users