Mounting block devices inside of a container is a very very unsafe operation and is therefore blocked by the kernel for all unprivileged containers and usually blocked by AppArmor or similar in privileged containers.
Incus has some ways around that, in order of preference:
security.syscalls.intercept.mount=true and security.syscalls.intercept.mount.fuse=ext4=fuse2fs. This option is safe and relies on fuse2fs being present in the container, effectively redirecting unsafe mount calls to the userspace FUSE implementation.
security.syscalls.intercept.mount=true and security.syscalls.intercept.mount.allowed=ext4. This is unsafe but allows an unprivileged container to mount any ext4 filesystem with full root privileges without having to resort to a privileged container.
security.privileged=true. This is the least safe option as now the entire container is running with full root privileges.
What filesystems can participate in the CSV to this option ( security.syscalls.intercept.mount.allowed)? The reference does not mention it.
And could you please tell if it’s possible to forward raw block devices (no filesystem and maybe not even paritions)? Only with privileged containers I imagine, but my use case would allow that.
Can I mount one device (an ext4 partition) RW on a container and expect RO mounts in other containers to work as well in conjuction?
1.1. What changes if I used fuse2fs?
1.2. Multiple RW mounts?