loop device in a Linux container?

linux containers cgroup loop-device

41,377

Solution 1

If you're using systemd-nspawn, start up your container with the --capability=CAP_MKNOD command line switch. This will allow you to create device nodes inside your container. Then create a loop device like this:

# mknod /dev/loop0 b 7 0

Remember that this loop device is shared with the host and is called /dev/loop0 there as well. And that it is now possible to access host devices if you know the major and minor numbers. There could also be other consequences that I haven't thought about. Be warned.

Solution 2

Loop devices are provided by a kernel module. Therefore, you need special privileges to access them. You also need them to be exposed into your container, or you need to manually create the device files.

The quick answer

docker run --privileged=true ...

An alternative

sudo losetup /dev/loop0 test.img
mount /dev/loop0 /mnt
docker run -v /mnt:/mnt ...

This almost works

docker run --device=/dev/loop-control:/dev/loop-control --device=/dev/loop0:/dev/loop0 --cap-add SYS_ADMIN ...

However I get this error:

root@5c033d5f8625:/# sudo mount /dev/loop0 /mnt
mount: block device /dev/loop0 is write-protected, mounting read-only
mount: cannot mount block device /dev/loop0 read-only

See this link for more information.

A note on systemd-nspawn man page:

systemd-nspawn limits access to various kernel interfaces in the container to read-only, such as /sys, /proc/sys or /sys/fs/selinux. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container.

41,377

William Nyqvister

Technologist & entrepreneur.

Updated on September 18, 2022

Comments

William Nyqvister almost 2 years
I'm attempting to use a loop device inside a container, to mount some image file:
```
> sudo losetup /dev/loop0 test.img
losetup: /dev/loop0: failed to set up loop device: No such file or directory
```
/dev/loop0 indeed doesn't exist, and
```
> sudo mknod /dev/loop0 b 7 0
mknod: ‘/dev/loop0’: Operation not permitted
```
How can I make this work? Does the container need some cgroup permission that it might not have?
nh2 over 6 years

Can anybody confirm that --capability=CAP_MKNOD still works? For me it seems to have no effect, I get Operation not permitted even with it, and so do this user and this user.
nh2 over 6 years

I got it to work now, but in addition to giving --capability=CAP_MKNOD I had to set DeviceAllow=block-loop rwm in the systemd-nspawn unit to make it work (got that idea from here).
Lucas Ou-Yang over 5 years

I had to add --device-cgroup-rule="b 7:* rmw" to docker run to permit full access to loopback devices (but no others, since there's no --privilege). Found via docs.docker.com/edge/engine/reference/commandline/create/… and tested on docker 18.06.1-ce (the document claims to only apply to Docker Edge)
LtWorf over 4 years

This doesn't work if one is using user namespace.