Mount failed: Operation not permitted

Hi,

I am trying to mount an image inside a container, but cant because i get a “Operation not permitted.” error.
I already found some topics with similar issues but they always involved loop devices, which I am not sure if I need them.

for example I followed this post but still get the error.

As far as I understand it, the container needs to me privileged and I need to allow mount in app armor. I did both but I still cant mount the images inside a container.

My guess is that I miss/don’t know some basics but I cant figure it out.

Thank you for your help.

lxc config show

   architecture: x86_64
    config:
      image.architecture: amd64
      image.description: ubuntu 20.04 LTS amd64 (release) (20210223)
      image.label: release
      image.os: ubuntu
      image.release: focal
      image.serial: "20210223"
      image.type: squashfs
      image.version: "20.04"
      raw.apparmor: mount,
      security.privileged: "true"
      volatile.base_image: b9e93652ee67612114951d910acc4fd6fce0473f8dc0bf562c602e997fcb4857
      volatile.eth0.host_name: veth09f823e3
      volatile.eth0.hwaddr: 00:16:3e:c1:94:dc
      volatile.idmap.base: "0"
      volatile.idmap.current: '[]'
      volatile.idmap.next: '[]'
      volatile.last_state.idmap: '[]'
      volatile.last_state.power: RUNNING
      volatile.uuid: 4f29e250-8b82-4b30-bda8-2ad61b2f1c55
    devices:
      loop0:
        path: /dev/loop0
        type: unix-block
      loop1:
        path: /dev/loop1
        type: unix-block
      loop2:
        path: /dev/loop2
        type: unix-block
      loop3:
        path: /dev/loop3
        type: unix-block
      loop4:
        path: /dev/loop4
        type: unix-block
      loop5:
        path: /dev/loop5
        type: unix-block
      loop6:
        path: /dev/loop6
        type: unix-block
      loop7:
        path: /dev/loop7
        type: unix-block
    ephemeral: false
    profiles:
    - default
    stateful: false
    description: ""

lxc info

config:
  core.https_address: '[::]'
  core.trust_password: true
api_extensions:
- storage_zfs_remove_snapshots
- container_host_shutdown_timeout
- container_stop_priority
- container_syscall_filtering
- auth_pki
- container_last_used_at
- etag
- patch
- usb_devices
- https_allowed_credentials
- image_compression_algorithm
- directory_manipulation
- container_cpu_time
- storage_zfs_use_refquota
- storage_lvm_mount_options
- network
- profile_usedby
- container_push
- container_exec_recording
- certificate_update
- container_exec_signal_handling
- gpu_devices
- container_image_properties
- migration_progress
- id_map
- network_firewall_filtering
- network_routes
- storage
- file_delete
- file_append
- network_dhcp_expiry
- storage_lvm_vg_rename
- storage_lvm_thinpool_rename
- network_vlan
- image_create_aliases
- container_stateless_copy
- container_only_migration
- storage_zfs_clone_copy
- unix_device_rename
- storage_lvm_use_thinpool
- storage_rsync_bwlimit
- network_vxlan_interface
- storage_btrfs_mount_options
- entity_description
- image_force_refresh
- storage_lvm_lv_resizing
- id_map_base
- file_symlinks
- container_push_target
- network_vlan_physical
- storage_images_delete
- container_edit_metadata
- container_snapshot_stateful_migration
- storage_driver_ceph
- storage_ceph_user_name
- resource_limits
- storage_volatile_initial_source
- storage_ceph_force_osd_reuse
- storage_block_filesystem_btrfs
- resources
- kernel_limits
- storage_api_volume_rename
- macaroon_authentication
- network_sriov
- console
- restrict_devlxd
- migration_pre_copy
- infiniband
- maas_network
- devlxd_events
- proxy
- network_dhcp_gateway
- file_get_symlink
- network_leases
- unix_device_hotplug
- storage_api_local_volume_handling
- operation_description
- clustering
- event_lifecycle
- storage_api_remote_volume_handling
- nvidia_runtime
- container_mount_propagation
- container_backup
- devlxd_images
- container_local_cross_pool_handling
- proxy_unix
- proxy_udp
- clustering_join
- proxy_tcp_udp_multi_port_handling
- network_state
- proxy_unix_dac_properties
- container_protection_delete
- unix_priv_drop
- pprof_http
- proxy_haproxy_protocol
- network_hwaddr
- proxy_nat
- network_nat_order
- container_full
- candid_authentication
- backup_compression
- candid_config
- nvidia_runtime_config
- storage_api_volume_snapshots
- storage_unmapped
- projects
- candid_config_key
- network_vxlan_ttl
- container_incremental_copy
- usb_optional_vendorid
- snapshot_scheduling
- container_copy_project
- clustering_server_address
- clustering_image_replication
- container_protection_shift
- snapshot_expiry
- container_backup_override_pool
- snapshot_expiry_creation
- network_leases_location
- resources_cpu_socket
- resources_gpu
- resources_numa
- kernel_features
- id_map_current
- event_location
- storage_api_remote_volume_snapshots
- network_nat_address
- container_nic_routes
- rbac
- cluster_internal_copy
- seccomp_notify
- lxc_features
- container_nic_ipvlan
- network_vlan_sriov
- storage_cephfs
- container_nic_ipfilter
- resources_v2
- container_exec_user_group_cwd
- container_syscall_intercept
- container_disk_shift
- storage_shifted
- resources_infiniband
- daemon_storage
- instances
- image_types
- resources_disk_sata
- clustering_roles
- images_expiry
- resources_network_firmware
- backup_compression_algorithm
- ceph_data_pool_name
- container_syscall_intercept_mount
- compression_squashfs
- container_raw_mount
- container_nic_routed
- container_syscall_intercept_mount_fuse
- container_disk_ceph
- virtual-machines
- image_profiles
- clustering_architecture
- resources_disk_id
- storage_lvm_stripes
- vm_boot_priority
- unix_hotplug_devices
- api_filtering
- instance_nic_network
- clustering_sizing
- firewall_driver
- projects_limits
- container_syscall_intercept_hugetlbfs
- limits_hugepages
- container_nic_routed_gateway
- projects_restrictions
- custom_volume_snapshot_expiry
- volume_snapshot_scheduling
- trust_ca_certificates
- snapshot_disk_usage
- clustering_edit_roles
- container_nic_routed_host_address
- container_nic_ipvlan_gateway
- resources_usb_pci
- resources_cpu_threads_numa
- resources_cpu_core_die
- api_os
- container_nic_routed_host_table
- container_nic_ipvlan_host_table
- container_nic_ipvlan_mode
- resources_system
- images_push_relay
- network_dns_search
- container_nic_routed_limits
- instance_nic_bridged_vlan
- network_state_bond_bridge
- usedby_consistency
- custom_block_volumes
- clustering_failure_domains
- resources_gpu_mdev
- console_vga_type
- projects_limits_disk
- network_type_macvlan
- network_type_sriov
- container_syscall_intercept_bpf_devices
- network_type_ovn
- projects_networks
- projects_networks_restricted_uplinks
- custom_volume_backup
- backup_override_name
- storage_rsync_compression
- network_type_physical
- network_ovn_external_subnets
- network_ovn_nat
- network_ovn_external_routes_remove
- tpm_device_type
- storage_zfs_clone_copy_rebase
- gpu_mdev
- resources_pci_iommu
- resources_network_usb
- resources_disk_address
- network_physical_ovn_ingress_mode
- network_ovn_dhcp
- network_physical_routes_anycast
- projects_limits_instances
- network_state_vlan
- instance_nic_bridged_port_isolation
- instance_bulk_state_change
- network_gvrp
- instance_pool_move
- gpu_sriov
- pci_device_type
- storage_volume_state
- network_acl
- migration_stateful
- disk_state_quota
- storage_ceph_features
- projects_compression
- projects_images_remote_cache_expiry
- certificate_project
- network_ovn_acl
- projects_images_auto_update
- projects_restricted_cluster_target
api_status: stable
api_version: "1.0"
auth: trusted
public: false
auth_methods:
- tls
environment:
  addresses:
  - 192.168.178.10:8443
  - '[2001:16b8:c1:5900:b441:a7b4:b279:3e5c]:8443'
  - '[2001:16b8:c1:5900:1cb2:7f6c:4ce5:9779]:8443'
  - '[2001:16b8:c1:5900:53df:8467:93a9:4331]:8443'
  - 192.168.178.30:8443
  - '[2001:16b8:c1:5900:b92d:9526:5f3d:9473]:8443'
  - '[2001:16b8:c1:5900:3990:1381:5d8b:596d]:8443'
  - '[2001:16b8:c1:5900:ac32:4c:619e:2f3a]:8443'
  - 10.0.0.1:8443
  - 192.168.122.1:8443
  - 10.162.52.1:8443
  - '[fd42:109c:21bd:8459::1]:8443'
  architectures:
  - x86_64
  - i686
  certificate: |
    -----BEGIN CERTIFICATE-----
    MIICEjCCAZigAwIBAgIQa2FCdZjE31E38WYaCo6BDDAKBggqhkjOPQQDAzA5MRww
    GgYDVQQKExNsaW51eGNvbnRhaW5lcnMub3JnMRkwFwYDVQQDDBByb290QGZsYWVw
    LVUyMDEwMB4XDTIxMDIyNTE1MzAyN1oXDTMxMDIyMzE1MzAyN1owOTEcMBoGA1UE
    ChMTbGludXhjb250YWluZXJzLm9yZzEZMBcGA1UEAwwQcm9vdEBmbGFlcC1VMjAx
    MDB2MBAGByqGSM49AgEGBSuBBAAiA2IABPkmf6OyRNjDrFkxtoqZgpLhwhxQnpkG
    bpsYf7b5j4pn1YJYkgHKDrDeEykO1c3KQOYOCZPa1wiJ/CjGRU4MwG9+6oA0a9eP
    02xUgonGWDHwUfN/WRpuPelGpF1wJMJtKaNlMGMwDgYDVR0PAQH/BAQDAgWgMBMG
    A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwLgYDVR0RBCcwJYILZmxh
    ZXAtVTIwMTCHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEwCgYIKoZIzj0EAwMDaAAw
    ZQIxALRvOA0QUPNvnJzsy7baOIIT95wAudGNXKm31Vj40yR7Xn0D39IPVy9LpBL8
    w+098gIwK+Gzob+JhS7Tq4cacrIyHfd47KblJJyQUcgriRlgRFRwMDzWmkgd855Y
    3T3dnlYf
    -----END CERTIFICATE-----
  certificate_fingerprint: 6d581c3db0ebf50de2eb1740487ad6db55a11e7b8128ca4f56fd253f0d7b274b
  driver: lxc | qemu
  driver_version: 4.0.6 | 5.2.0
  firewall: nftables
  kernel: Linux
  kernel_architecture: x86_64
  kernel_features:
    netnsid_getifaddrs: "true"
    seccomp_listener: "true"
    seccomp_listener_continue: "true"
    shiftfs: "false"
    uevent_injection: "true"
    unpriv_fscaps: "true"
  kernel_version: 5.8.0-44-generic
  lxc_features:
    cgroup2: "true"
    devpts_fd: "true"
    mount_injection_file: "true"
    network_gateway_device_route: "true"
    network_ipvlan: "true"
    network_l2proxy: "true"
    network_phys_macvlan_mtu: "true"
    network_veth_router: "true"
    pidfd: "true"
    seccomp_allow_deny_syntax: "true"
    seccomp_notify: "true"
    seccomp_proxy_send_notify_fd: "true"
  os_name: Ubuntu
  os_version: "20.10"
  project: default
  server: lxd
  server_clustered: false
  server_name: flaep-U2010
  server_pid: 2913
  server_version: "4.12"
  storage: btrfs
  storage_version: 4.15.1

lxc exec priv1 /bin/bash

root@priv1:~# rm out.img 
root@priv1:~# truncate -s 10G out.img
root@priv1:~# mkfs.ext4 -F out.img 
mke2fs 1.45.5 (07-Jan-2020)
Discarding device blocks: done                            
Creating filesystem with 2621440 4k blocks and 655360 inodes
Filesystem UUID: 5f28a5e3-9fd7-42cf-8f62-f1edea4860ef
Superblock backups stored on blocks: 
	32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done 

root@priv1:~# mount out.img /mnt
mount: /mnt: mount failed: Operation not permitted.
root@priv1:~# mount -o loop,ro,noexec,noload out.img /mnt
mount: /mnt: mount failed: Operation not permitted.

Loop devices are the problem here. They’re not namespaced and so not accessible by default.
Your config is correct if you were mounting a physical disk or partition but for a loop file you’ll need to pass in a bunch of /dev/loop devices as unix-block to your container.

1 Like

thank you for your fast reply.

I added a bunch of loop devices as shown and as you did on github.

loop4:
        path: /dev/loop4
        type: unix-block

But I still get the not permitted error.

How does LXD make sure I am allowed to run privilged container?I never needed to run anything with sudo/ as root. Can i verify that the container is indeed running privileged?

What am I doing wrong? Is loop really necessary? on the host I can mount the image without passing -o loop. just sudo mount out.img /mnt.

Or more generally asked. How to use mount inside a a container. A step by step guide would be nice, because I am most likely missing something obvious.

Try running losetup -a to see whether those loop devices aren’t already in use.

I guess this means they are all taken

Host:

losetup -a | sort
/dev/loop0: []: (/var/lib/snapd/snaps/core_10823.snap)
/dev/loop10: []: (/var/lib/snapd/snaps/snap-store_518.snap)
/dev/loop11: []: (/var/lib/snapd/snaps/snap-store_498.snap)
/dev/loop12: []: (/var/lib/snapd/snaps/lxd_19566.snap)
/dev/loop13: []: (/var/lib/snapd/snaps/lxd_19766.snap)
/dev/loop14: []: (/var/lib/snapd/snaps/discord_121.snap)
/dev/loop15: []: (/var/lib/snapd/snaps/core20_904.snap)
/dev/loop16: []: (/var/lib/snapd/snaps/signal-desktop_351.snap)
/dev/loop17: []: (/var/lib/snapd/snaps/signal-desktop_346.snap)
/dev/loop18: []: (/var/lib/snapd/snaps/telegram-desktop_2480.snap)
/dev/loop19: []: (/var/lib/snapd/snaps/snapd_11107.snap)
/dev/loop1: []: (/var/lib/snapd/snaps/core18_1944.snap)
/dev/loop20: []: (/var/lib/snapd/snaps/gtk-common-themes_1506.snap)
/dev/loop21: []: (/var/lib/snapd/snaps/gtk-common-themes_1514.snap)
/dev/loop22: []: (/var/lib/snapd/snaps/rpi-imager_150.snap)
/dev/loop23: []: (/var/lib/snapd/snaps/telegram-desktop_2448.snap)
/dev/loop24: []: (/var/snap/lxd/common/lxd/disks/defpool.img)
/dev/loop25: []: (/home/flaep/out.img)
/dev/loop2: []: (/var/lib/snapd/snaps/core_10859.snap)
/dev/loop3: []: (/var/lib/snapd/snaps/core20_875.snap)
/dev/loop4: []: (/var/lib/snapd/snaps/gnome-3-28-1804_145.snap)
/dev/loop5: []: (/var/lib/snapd/snaps/gnome-3-34-1804_60.snap)
/dev/loop6: []: (/var/lib/snapd/snaps/gnome-3-34-1804_66.snap)
/dev/loop7: []: (/var/lib/snapd/snaps/core18_1988.snap)
/dev/loop8: []: (/var/lib/snapd/snaps/discord_120.snap)
/dev/loop9: []: (/var/lib/snapd/snaps/snapd_11036.snap)

container:

losetup -a
/dev/loop1: [2081]:3932987 (/var/lib/snapd/snaps/core18_1944.snap)
/dev/loop6: [2081]:3932342 (/var/lib/snapd/snaps/gnome-3-34-1804_66.snap)
/dev/loop4: [2081]:3932902 (/var/lib/snapd/snaps/gnome-3-28-1804_145.snap)
/dev/loop2: [2081]:3932426 (/var/lib/snapd/snaps/core_10859.snap)
/dev/loop0: [2081]:3932179 (/var/lib/snapd/snaps/core_10823.snap)
/dev/loop7: [2081]:3933354 (/var/lib/snapd/snaps/core18_1988.snap)
/dev/loop5: [2081]:3940668 (/var/lib/snapd/snaps/gnome-3-34-1804_60.snap)
/dev/loop3: [2081]:3932917 (/var/lib/snapd/snaps/core20_875.snap)

I also forgot to run
lxc config device add priv1 loop-control unix-char path=/dev/loop-control
I did now and get a new error
mount: /mnt: failed to setup loop device for /root/out.img.

Yeah, /dev/loop-control won’t help you too much as it allows for more loop files to be allocated but they’ll show up on the host and then need to be added through unix-block

https://github.com/lxc/lxc-ci/blob/master/bin/build-image-distrobuilder#L20 is what we do for our own images, effectively passing 64 loop devices even if they don’t exist in /dev of the host.

ok it now worked out, I am still a bit confused.

If I try to add a loop device that does not exist on the host, I get

Error: Failed to start device "loop26": The required device path doesn't exist and the major and minor settings are not specified

If I pass loop-control to the container, another loop device is created when I try to mount the image and I need to pass it manually to the container, as you said.

When I create a loop device ahead with mknod -m 660 /dev/loop66 b 7 66 and pass it , I still get
mount: /mnt: failed to setup loop device for /root/out.img.

So what am I still doing wrong that I cant add non existing loop devices?
Thank you for your patience

Here is what I did:

ls -l /dev/loop* | sort
brw-rw---- 1 root disk  7,   0 Mär 15 17:41 /dev/loop0
brw-rw---- 1 root disk  7,  10 Mär 15 17:41 /dev/loop10
brw-rw---- 1 root disk  7,  11 Mär 15 17:41 /dev/loop11
brw-rw---- 1 root disk  7,  12 Mär 15 17:41 /dev/loop12
brw-rw---- 1 root disk  7,  13 Mär 15 17:41 /dev/loop13
brw-rw---- 1 root disk  7,  14 Mär 15 17:41 /dev/loop14
brw-rw---- 1 root disk  7,  15 Mär 15 17:41 /dev/loop15
brw-rw---- 1 root disk  7,  16 Mär 15 17:41 /dev/loop16
brw-rw---- 1 root disk  7,  17 Mär 15 17:41 /dev/loop17
brw-rw---- 1 root disk  7,  18 Mär 15 17:41 /dev/loop18
brw-rw---- 1 root disk  7,  19 Mär 15 17:41 /dev/loop19
brw-rw---- 1 root disk  7,   1 Mär 15 17:41 /dev/loop1
brw-rw---- 1 root disk  7,  20 Mär 15 17:41 /dev/loop20
brw-rw---- 1 root disk  7,  21 Mär 15 17:41 /dev/loop21
brw-rw---- 1 root disk  7,  22 Mär 15 17:41 /dev/loop22
brw-rw---- 1 root disk  7,  23 Mär 15 17:41 /dev/loop23
brw-rw---- 1 root disk  7,  24 Mär 15 17:42 /dev/loop24
brw-rw---- 1 root disk  7,   2 Mär 15 17:41 /dev/loop2
brw-rw---- 1 root disk  7,   3 Mär 15 17:41 /dev/loop3
brw-rw---- 1 root disk  7,   4 Mär 15 17:41 /dev/loop4
brw-rw---- 1 root disk  7,   5 Mär 15 17:41 /dev/loop5
brw-rw---- 1 root disk  7,   6 Mär 15 17:41 /dev/loop6
brw-rw---- 1 root disk  7,   7 Mär 15 17:41 /dev/loop7
brw-rw---- 1 root disk  7,   8 Mär 15 17:41 /dev/loop8
brw-rw---- 1 root disk  7,   9 Mär 15 17:41 /dev/loop9
crw-rw---- 1 root disk 10, 237 Mär 15 17:41 /dev/loop-control
 losetup -a | sort
/dev/loop0: []: (/var/lib/snapd/snaps/core_10823.snap)
/dev/loop10: []: (/var/lib/snapd/snaps/core20_875.snap)
/dev/loop11: []: (/var/lib/snapd/snaps/telegram-desktop_2480.snap)
/dev/loop12: []: (/var/lib/snapd/snaps/signal-desktop_351.snap)
/dev/loop13: []: (/var/lib/snapd/snaps/snapd_11107.snap)
/dev/loop14: []: (/var/lib/snapd/snaps/snap-store_518.snap)
/dev/loop15: []: (/var/lib/snapd/snaps/gnome-3-28-1804_145.snap)
/dev/loop16: []: (/var/lib/snapd/snaps/lxd_19766.snap)
/dev/loop17: []: (/var/lib/snapd/snaps/discord_120.snap)
/dev/loop18: []: (/var/lib/snapd/snaps/lxd_19566.snap)
/dev/loop19: []: (/var/lib/snapd/snaps/rpi-imager_150.snap)
/dev/loop1: []: (/var/lib/snapd/snaps/core_10859.snap)
/dev/loop20: []: (/var/lib/snapd/snaps/gtk-common-themes_1506.snap)
/dev/loop21: []: (/var/lib/snapd/snaps/telegram-desktop_2448.snap)
/dev/loop22: []: (/var/lib/snapd/snaps/core18_1944.snap)
/dev/loop23: []: (/var/lib/snapd/snaps/snapd_11036.snap)
/dev/loop24: []: (/var/snap/lxd/common/lxd/disks/defpool.img)
/dev/loop2: []: (/var/lib/snapd/snaps/discord_121.snap)
/dev/loop3: []: (/var/lib/snapd/snaps/core18_1988.snap)
/dev/loop4: []: (/var/lib/snapd/snaps/core20_904.snap)
/dev/loop5: []: (/var/lib/snapd/snaps/gnome-3-34-1804_60.snap)
/dev/loop6: []: (/var/lib/snapd/snaps/snap-store_498.snap)
/dev/loop7: []: (/var/lib/snapd/snaps/gnome-3-34-1804_66.snap)
/dev/loop8: []: (/var/lib/snapd/snaps/gtk-common-themes_1514.snap)
/dev/loop9: []: (/var/lib/snapd/snaps/signal-desktop_346.snap)

setup

$ lxc init ubuntu: ismount
$ sudo mknod -m 660 /dev/loop66 b 7 66
$ lxc config device add ismount loop66 unix-block path=/dev/loop66
$  lxc config set ismount raw.apparmor "mount,"
$ lxc config set ismount security.privileged true
$ lxc start ismount
$ lxc stop ismount #forgot loop-control
$ lxc config device add ismount loop-control unix-char path=/dev/loop-control

preparation

$ lxc start ismount 
$ lxc exec ismount bash
root@ismount:~# ls -lh /dev/loop*
crw-rw---- 1 root disk 10, 237 Mar 15 16:56 /dev/loop-control
brw-rw---- 1 root root  7,  66 Mar 15 16:56 /dev/loop66
root@ismount:~# losetup -a
root@ismount:~# truncate -s 10G out.img
root@ismount:~# mkfs.ext4 -F out.img 

mounting

root@ismount:~# mount -o loop,ro,noexec,noload out.img /mnt
mount: /mnt: failed to setup loop device for /root/out.img.
root@ismount:~# chown root:disk /dev/loop66
root@ismount:~# mount -o loop,ro,noexec,noload out.img /mnt
mount: /mnt: failed to setup loop device for /root/out.img.
root@ismount:~# losetup -a
root@ismount:~# mount out.img /mnt
mount: /mnt: failed to setup loop device for /root/out.img.
root@ismount:~# exit

$ lxc stop ismount

loop devices at the host now

$ ls -l /dev/loop*
brw-rw---- 1 root disk  7,   0 Mär 15 17:41 /dev/loop0
brw-rw---- 1 root disk  7,   1 Mär 15 17:41 /dev/loop1
brw-rw---- 1 root disk  7,  10 Mär 15 17:41 /dev/loop10
brw-rw---- 1 root disk  7,  11 Mär 15 17:41 /dev/loop11
brw-rw---- 1 root disk  7,  12 Mär 15 17:41 /dev/loop12
brw-rw---- 1 root disk  7,  13 Mär 15 17:41 /dev/loop13
brw-rw---- 1 root disk  7,  14 Mär 15 17:41 /dev/loop14
brw-rw---- 1 root disk  7,  15 Mär 15 17:41 /dev/loop15
brw-rw---- 1 root disk  7,  16 Mär 15 17:41 /dev/loop16
brw-rw---- 1 root disk  7,  17 Mär 15 17:41 /dev/loop17
brw-rw---- 1 root disk  7,  18 Mär 15 17:41 /dev/loop18
brw-rw---- 1 root disk  7,  19 Mär 15 17:41 /dev/loop19
brw-rw---- 1 root disk  7,   2 Mär 15 17:41 /dev/loop2
brw-rw---- 1 root disk  7,  20 Mär 15 17:41 /dev/loop20
brw-rw---- 1 root disk  7,  21 Mär 15 17:41 /dev/loop21
brw-rw---- 1 root disk  7,  22 Mär 15 17:41 /dev/loop22
brw-rw---- 1 root disk  7,  23 Mär 15 17:41 /dev/loop23
brw-rw---- 1 root disk  7,  24 Mär 15 17:42 /dev/loop24
brw-rw---- 1 root disk  7,  25 Mär 15 17:57 /dev/loop25
brw-rw---- 1 root disk  7,   3 Mär 15 17:41 /dev/loop3
brw-rw---- 1 root disk  7,   4 Mär 15 17:41 /dev/loop4
brw-rw---- 1 root disk  7,   5 Mär 15 17:41 /dev/loop5
brw-rw---- 1 root disk  7,   6 Mär 15 17:41 /dev/loop6
brw-rw---- 1 root root  7,  66 Mär 15 17:53 /dev/loop66
brw-rw---- 1 root disk  7,   7 Mär 15 17:41 /dev/loop7
brw-rw---- 1 root disk  7,   8 Mär 15 17:41 /dev/loop8
brw-rw---- 1 root disk  7,   9 Mär 15 17:41 /dev/loop9
crw-rw---- 1 root disk 10, 237 Mär 15 17:41 /dev/loop-control

$ losetup -a | sort
/dev/loop0: []: (/var/lib/snapd/snaps/core_10823.snap)
/dev/loop10: []: (/var/lib/snapd/snaps/core20_875.snap)
/dev/loop11: []: (/var/lib/snapd/snaps/telegram-desktop_2480.snap)
/dev/loop12: []: (/var/lib/snapd/snaps/signal-desktop_351.snap)
/dev/loop13: []: (/var/lib/snapd/snaps/snapd_11107.snap)
/dev/loop14: []: (/var/lib/snapd/snaps/snap-store_518.snap)
/dev/loop15: []: (/var/lib/snapd/snaps/gnome-3-28-1804_145.snap)
/dev/loop16: []: (/var/lib/snapd/snaps/lxd_19766.snap)
/dev/loop17: []: (/var/lib/snapd/snaps/discord_120.snap)
/dev/loop18: []: (/var/lib/snapd/snaps/lxd_19566.snap)
/dev/loop19: []: (/var/lib/snapd/snaps/rpi-imager_150.snap)
/dev/loop1: []: (/var/lib/snapd/snaps/core_10859.snap)
/dev/loop20: []: (/var/lib/snapd/snaps/gtk-common-themes_1506.snap)
/dev/loop21: []: (/var/lib/snapd/snaps/telegram-desktop_2448.snap)
/dev/loop22: []: (/var/lib/snapd/snaps/core18_1944.snap)
/dev/loop23: []: (/var/lib/snapd/snaps/snapd_11036.snap)
/dev/loop24: []: (/var/snap/lxd/common/lxd/disks/defpool.img)
/dev/loop2: []: (/var/lib/snapd/snaps/discord_121.snap)
/dev/loop3: []: (/var/lib/snapd/snaps/core18_1988.snap)
/dev/loop4: []: (/var/lib/snapd/snaps/core20_904.snap)
/dev/loop5: []: (/var/lib/snapd/snaps/gnome-3-34-1804_60.snap)
/dev/loop6: []: (/var/lib/snapd/snaps/snap-store_498.snap)
/dev/loop7: []: (/var/lib/snapd/snaps/gnome-3-34-1804_66.snap)
/dev/loop8: []: (/var/lib/snapd/snaps/gtk-common-themes_1514.snap)
/dev/loop9: []: (/var/lib/snapd/snaps/signal-desktop_346.snap)

so loop25 is new.

$ lxc config device add ismount loop25 unix-block path=/dev/loop25 
Device loop25 added to ismount
$lxc exec ismount bash
root@ismount:~# mount out.img /mnt

Done.

Note how the link I gave you doesn’t use path= but instead directly specifies major/minor to avoid having to create the device on the host first.

By providing all the information upfront in the config lxd creates the loop devices?

I am going to try to reproduce the steps necessary to use loop devices.
Right now I only managed to make it work once. I am unfortunately busy with other tasks rig.ht now.

thank you

Yeah, if you provide the major/minor in the LXD device, LXD will create the device for you in a private directory and then pass it into the container at the path you provide.