On Di, 22.08.17 10:54, Miroslav Suchý ([email protected]) wrote: > Hi, > is there a reason why systemd-nspawn does not create /dev/loop* files in > container? > I am asking because of: > https://github.com/rpm-software-management/mock/pull/107
Well, block devices (and specifically loopback devices) aren't properly virtualized for containers on Linux. Loopback devices live in a single logical namespace, and are somewhat dynamic in character (due to /dev/loop-control), which doesn't fit the namespaced container concept well. Moreover block devices are not virtualizes in /sys, hence discovery for them falls completely flat in containers. We'd be happy to support them if the kernel would virtualize them properly, but until then doing loopback devices in containers is both a security hole and a messy API borkage I fear... There were patches to permit multiple instances of /dev/loop-control and friends to the kernel, but to my knowledge that never went anywhere... A hackish way out is to bind a specific device into the container via --bind=/dev/loop7, but that's not more than a hack, since that means the loopback device API is supported only partially, as the container couldn't allocate new block devices and the device is never properly "owned" by the container, as there simply is not container concept. Moreover, code in the container can't really discover this device automatically, since as mentioned /sys isn't virtualized. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
