moby: Unable to mount devices under container

Hi guys,

I’m trying to mount a device directly bind using the “devices” parameter into the container. This device is an AWS typical virtual drive. It can mount on the host without any problem.

It seems like there is no problem to run mkfs.ext3 on my mounted device, but mount -t ext3 /dev/xvdf /mnt fails with the following error:

root@eg_sshd:~# mount -t ext3 /dev/xvdf /mnt
mount: block device /dev/xvdf is write-protected, mounting read-only
mount: cannot mount block device /dev/xvdf read-only
root@eg_sshd:~# mount -t ext3 -o rw /dev/xvdf /mnt
mount: block device /dev/xvdf is write-protected, mounting read-only
mount: cannot mount block device /dev/xvdf read-only

The devices seems well recognised if I inspect the container:

    "Devices": [
        {
            "CgroupPermissions": "rwm",
            "PathInContainer": "/dev/xvdf",
            "PathOnHost": "/dev/xvdf"
        },
        {
            "CgroupPermissions": "rwm",
            "PathInContainer": "/dev/xvdg",
            "PathOnHost": "/dev/xvdg"
        }
    ],

Oh, and I’m using Ubuntu as base (just a very basic container running a sshd server - only for tests!).

Thanks for help!

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Comments: 21 (7 by maintainers)

Commits related to this issue

Most upvoted comments

You can resolve this by using --security-opt apparmor:unconfined along with --cap-add SYS_ADMIN

https://github.com/docker/docker/issues/18191#issuecomment-159280820

It’s possible the --security-opt or --privileged flags are no longer required.

based on the hints in: https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/

I’m able to run a systemd-enabled docker image[1] within docker/for-mac[2] using command: docker run -d -e=container=docker --stop-signal=SIGRTMIN+3 --tmpfs /tmp --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro <systemd_enabled_CentOS_image_id>

[1] https://hub.docker.com/_/centos/ with “Dockerfile for systemd base image” applied [2] https://github.com/docker/for-mac/

@tbronchain You cannot call mount unless you have CAP_SYS_ADMIN, which is not available in the default container config. You’d need to docker run --cap-add SYS_ADMIN