Unix-block device mounting

LXD
1

Hello.
I use LXD 2.0.10 and I have one container named instance-00000012 (created by Openstack) with following profile:

config:
  environment.product_name: OpenStack Nova
  limits.cpu: "2"
  limits.memory: 2048MB
  raw.apparmor: mount fstype=ext4,
  raw.lxc: |
    lxc.console.logfile=/var/log/lxd/instance-00000012/console.log
description: ""
devices:
  root:
    path: /
    type: disk
  tap36aa7a42-39:
    hwaddr: fa:16:3e:d8:e4:a3
    nictype: physical
    parent: tin36aa7a42-39
    type: nic
name: instance-00000012

lsblk shows this information inside container:

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sr0     11:0    1 1024M  0 rom  
fd0      2:0    1    4K  0 disk 
loop9    7:9    0    1G  0 loop 
sda      8:0    0   25G  0 disk 
└─sda1   8:1    0   25G  0 part /

As you can see I have fake block device /dev/loop9 and I want to add it as block device to my container. I used this command:

lxc profile device add instance-00000012 volume unix-block path=/dev/loop9

Device volume was added successfully and now profile looks like this:

config:
  environment.product_name: OpenStack Nova
  limits.cpu: "2"
  limits.memory: 2048MB
  raw.apparmor: mount fstype=ext4,
  raw.lxc: |
    lxc.console.logfile=/var/log/lxd/instance-00000012/console.log
description: ""
devices:
  root:
    path: /
    type: disk
  tap36aa7a42-39:
    hwaddr: fa:16:3e:d8:e4:a3
    nictype: physical
    parent: tin36aa7a42-39
    type: nic
  volume:
    path: /dev/loop9
    type: unix-block
name: instance-00000012

But lsblk shows something weird:

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sr0     11:0    1 1024M  0 rom  
fd0      2:0    1    4K  0 disk 
loop9    7:9    0    1G  0 loop 
sda      8:0    0   25G  0 disk 
└─sda1   8:1    0   25G  0 part /dev/loop9

I expected something like this:

NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sr0     11:0    1 1024M  0 rom  
fd0      2:0    1    4K  0 disk 
loop9    7:9    0    1G  0 loop /dev/loop9
sda      8:0    0   25G  0 disk 
└─sda1   8:1    0   25G  0 part /

Is it normal situation or I just don’t understand specific container mounting?
But main problem is that I can’t mount /dev/loop9 to /mnt inside container, because I see

mount: permission denied

Can you help me to understand these two problems?

2

Unprivileged containers aren’t allowed to mount most filesystems. That’s a kernel restriction applied on the user namespace, so not something you can bypass with apparmor profiles or LXD settings.

If you’re on Ubuntu, there is a flag you can set to enable unprivileged mounts of ext4 filesystems.
Just keep in mind that this can be very dangerous if you ever allowed untrusted user to do this as it’s a direct way of attacking the kernel’s superblock parser.

echo Y > /sys/module/ext4/parameters/userns_mounts
3

Thanks for the explanation about mounting rules!

What about lsblk situation? Is this normal behavior?

4

Looks like lsblk is just getting a bit confused by the bind-mounted /dev entry.

5

Ok, then I will not worry.

6

Hi, I have a similar problem, but I am running LXC 3.16 (installed via Snap) on Centos 7. I’ve set SELinux to permissive and the followed the same steps, and encountered the same error saying

mount: permission denied

The container’s config is as follows:

architecture: x86_64
config:
  image.architecture: amd64
  image.description: Centos 7 amd64 (20190813_07:08)
  image.os: Centos
  image.release: "7"
  image.serial: "20190813_07:08"
  volatile.base_image: 5a71173937d516bce8e541c28b2c9bc8c6d086d1e7bf84f27059ad9bf4af9858
  volatile.eth0.host_name: vethd3acca83
  volatile.eth0.hwaddr: 00:16:3e:a6:5f:9a
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
devices:
  ssd01:
    path: /dev/sda1
    type: unix-block
ephemeral: false

Also, the filesystem for the partition is XFS and I can’t find a similar parameter as userns_mounts (then again, the container is started by root). Is there anything else I can do?