moby: Unable to mount devices under container
Hi guys,
I’m trying to mount a device directly bind using the “devices” parameter into the container. This device is an AWS typical virtual drive. It can mount on the host without any problem.
It seems like there is no problem to run mkfs.ext3
on my mounted device, but mount -t ext3 /dev/xvdf /mnt
fails with the following error:
root@eg_sshd:~# mount -t ext3 /dev/xvdf /mnt
mount: block device /dev/xvdf is write-protected, mounting read-only
mount: cannot mount block device /dev/xvdf read-only
root@eg_sshd:~# mount -t ext3 -o rw /dev/xvdf /mnt
mount: block device /dev/xvdf is write-protected, mounting read-only
mount: cannot mount block device /dev/xvdf read-only
The devices seems well recognised if I inspect the container:
"Devices": [
{
"CgroupPermissions": "rwm",
"PathInContainer": "/dev/xvdf",
"PathOnHost": "/dev/xvdf"
},
{
"CgroupPermissions": "rwm",
"PathInContainer": "/dev/xvdg",
"PathOnHost": "/dev/xvdg"
}
],
Oh, and I’m using Ubuntu as base (just a very basic container running a sshd server - only for tests!).
Thanks for help!
About this issue
- Original URL
- State: closed
- Created 9 years ago
- Comments: 21 (7 by maintainers)
Commits related to this issue
- Apparmor on Ubuntu Xenial will not permit containers to mount devices, even with CAP SYS_ADMIN. The issue is discussed here: https://github.com/moby/moby/issues/9950 This patch resolves the issue. — committed to netservers/ceph-ansible by deleted user 7 years ago
- Fix docker RPM builds on Ubuntu with AppArmor enabled https://github.com/moby/moby/issues/9950#issuecomment-176480007 — committed to fmarier/brave-release by fmarier 4 years ago
You can resolve this by using --security-opt apparmor:unconfined along with --cap-add SYS_ADMIN
https://github.com/docker/docker/issues/18191#issuecomment-159280820
It’s possible the
--security-opt
or--privileged
flags are no longer required.based on the hints in: https://developers.redhat.com/blog/2016/09/13/running-systemd-in-a-non-privileged-container/
I’m able to run a
systemd
-enabled docker image[1] withindocker/for-mac
[2] using command:docker run -d -e=container=docker --stop-signal=SIGRTMIN+3 --tmpfs /tmp --tmpfs /run -v /sys/fs/cgroup:/sys/fs/cgroup:ro <systemd_enabled_CentOS_image_id>
[1] https://hub.docker.com/_/centos/ with “Dockerfile for systemd base image” applied [2] https://github.com/docker/for-mac/
@tbronchain You cannot call
mount
unless you have CAP_SYS_ADMIN, which is not available in the default container config. You’d need todocker run --cap-add SYS_ADMIN