New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to mount devices under container #9950

Closed
tbronchain opened this Issue Jan 7, 2015 · 20 comments

Comments

Projects
None yet
@tbronchain

tbronchain commented Jan 7, 2015

Hi guys,

I'm trying to mount a device directly bind using the "devices" parameter into the container.
This device is an AWS typical virtual drive. It can mount on the host without any problem.

It seems like there is no problem to run mkfs.ext3 on my mounted device, but mount -t ext3 /dev/xvdf /mnt fails with the following error:

root@eg_sshd:~# mount -t ext3 /dev/xvdf /mnt
mount: block device /dev/xvdf is write-protected, mounting read-only
mount: cannot mount block device /dev/xvdf read-only
root@eg_sshd:~# mount -t ext3 -o rw /dev/xvdf /mnt
mount: block device /dev/xvdf is write-protected, mounting read-only
mount: cannot mount block device /dev/xvdf read-only

The devices seems well recognised if I inspect the container:

    "Devices": [
        {
            "CgroupPermissions": "rwm",
            "PathInContainer": "/dev/xvdf",
            "PathOnHost": "/dev/xvdf"
        },
        {
            "CgroupPermissions": "rwm",
            "PathInContainer": "/dev/xvdg",
            "PathOnHost": "/dev/xvdg"
        }
    ],

Oh, and I'm using Ubuntu as base (just a very basic container running a sshd server - only for tests!).

Thanks for help!

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented Jan 10, 2015

Does this look like what you're trying to do? #8826

Also look at this section of the documentation; https://docs.docker.com/reference/run/#runtime-privilege-linux-capabilities-and-lxc-configuration

@tbronchain

This comment has been minimized.

tbronchain commented Jan 11, 2015

Hi Sebastian,

Thanks for your reply, but actually this is not what I'm trying to do.

I followed the documentation. In fact, I'm mounting the volume using the API, not the docker CLI, but it doesn't (shouldn't?) matter much.
As I showed on my original post, the properties are well set.

The problem I have is I'm unable to mount a device bind (with the --devices option) within a container, although I'm able to alter the partition table.
To me, it seems like a permission bug. Or maybe there is something I didn't get?

Thanks for your help,
Thibault.

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented Jan 11, 2015

Hi, Thibault,

I have never needed this functionality myself and don't have experience with it in Docker. I think this may be caused by the needed capabilities not being present in the container (and remember seeing a discussion on this in another issue).

I think the best way to get help on this, is to ask the question on IRC in the #docker channel.

@tbronchain

This comment has been minimized.

tbronchain commented Jan 12, 2015

Thanks, I'll check this out!

On Sun, Jan 11, 2015 at 7:19 PM, Sebastiaan van Stijn <
notifications@github.com> wrote:

Hi, Thibault,

I have never needed this functionality myself and don't have experience
with it in Docker. I think this may be caused by the needed capabilities
not being present in the container (and remember seeing a discussion on
this in another issue).

I think the best way to get help on this, is to ask the question on IRC in
the #docker channel.


Reply to this email directly or view it on GitHub
#9950 (comment).

@jessfraz jessfraz closed this Feb 26, 2015

@nacc

This comment has been minimized.

nacc commented Mar 18, 2015

I'm guessing this was resolved, but it wasn't written into this issue. Thibault, would you mind updating it? A tester here is hitting something similar (I think it's not a very useful testcase, but still) -- and I'd like to provide them with some suggestions on what is missing.

@tbronchain

This comment has been minimized.

tbronchain commented Mar 19, 2015

@nacc It seems it's not resolved. I've upgraded to 1.5.0, but still the same issue. Now I can see it's possible to add specific capacities, so it's maybe what is missing.
The error is different though. Although I have the device correctly set as rwm, I get a "permission denied" in the container, or "Operation not permitted" with fdisk.
But I don't understand why I need to add any specific capacity, while the doc is saying it should work out of the box ...

edit: sorry I was confused, it has been a while ... the doc is mentioning LXC capacities, does this means the "devices" parameter only works while using LXC?

@cpuguy83

This comment has been minimized.

Contributor

cpuguy83 commented Mar 19, 2015

@tbronchain You cannot call mount unless you have CAP_SYS_ADMIN, which is not available in the default container config. You'd need to docker run --cap-add SYS_ADMIN

@tbronchain

This comment has been minimized.

tbronchain commented Mar 19, 2015

Thanks Brian. Does it means I must use the LXC driver to be able to mount
devices?
On Mar 19, 2015 8:53 PM, "Brian Goff" notifications@github.com wrote:

@tbronchain https://github.com/tbronchain You cannot call mount unless
you have CAP_SYS_ADMIN, which is not available in the default container
config. You'd need to docker run --cap-add SYS_ADMIN


Reply to this email directly or view it on GitHub
#9950 (comment).

@cpuguy83

This comment has been minimized.

Contributor

cpuguy83 commented Mar 19, 2015

@tbronchain No, it means you need to use the above docker run command to be able to use mount in a container.

@tbronchain

This comment has been minimized.

tbronchain commented Mar 24, 2015

And ... It works! Awesome @cpuguy83 , thanks a lot!
(PS: as far as I know, I haven't see it in the doc .. or it's well hidden)

@nagendersoma

This comment has been minimized.

nagendersoma commented May 16, 2015

Am hitting this same issue and the SYS_ADMIN capability is not resolving the same.

sudo docker run --cap-add SYS_ADMIN --device=/dev/loop0:/dev/xsdc -i -t ubuntu /bin/bash
docker inspect cranky_bardeen
..
"CapAdd": [
"SYS_ADMIN"
]
...
"Devices": [
{
"CgroupPermissions": "rwm",
"PathInContainer": "/dev/xsdc",
"PathOnHost": "/dev/loop0"
}
...

In the container :
root@ccdf48f761b1:/# mount -t ext4 -o rw /dev/xsdc /mnt/tmp
mount: block device /dev/xsdc is write-protected, mounting read-only
mount: cannot mount block device /dev/xsdc read-only
root@ccdf48f761b1:/#

@pfremm-NM

This comment has been minimized.

pfremm-NM commented May 29, 2015

I am trying to use tmpfs to mount a ramdisk when specifying --cap-add SYS-ADMIN and I also get mount: tmpfs is write-protected, mounting read-only
mount: cannot mount tmpfs read-only

@SaltwaterC

This comment has been minimized.

SaltwaterC commented Aug 19, 2015

Ran into the same issue trying to do a bind mount inside a container. CAP_SYS_ADMIN works on my local dev box (OS X 10.10 with Docker Toolbox 1.8.1b) but it fails to work on the CI build agent (Ubuntu 15.04 using the docker-engine package from https://apt.dockerproject.org/repo).

I tried adding the whole cap lot (all 37 of them) to the container. No dice. The only thing that works is to run the container in privileged mode.

@drngsl

This comment has been minimized.

drngsl commented Nov 24, 2015

@cpuguy83 ,hi, I also meet this problem, but when I create a container with docker run --cap-add SYS_ADMIN, it does still not work.

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented Nov 24, 2015

@drngsl also see this issue; #16429 perhaps that's what you're running into?

@drngsl

This comment has been minimized.

drngsl commented Nov 25, 2015

@thaJeztah , it does work, and thanks for you help.

@vmahedia

This comment has been minimized.

vmahedia commented Jan 28, 2016

You can resolve this by using --security-opt apparmor:unconfined along with --cap-add SYS_ADMIN

#18191 (comment)

@thaJeztah

This comment has been minimized.

Member

thaJeztah commented Jan 29, 2016

Actually, you can (right-click on the comment's timestamp); #18191 (comment)

@vmahedia

This comment has been minimized.

vmahedia commented Jan 29, 2016

@thaJeztah Thank you, kind sir.

@fryfrog

This comment has been minimized.

fryfrog commented Mar 30, 2017

Just wanted to say thanks for this issue, helped me resolve the same sort of error in a docker image I was working on. :)

netservers pushed a commit to netservers/ceph-ansible that referenced this issue Apr 19, 2017

John McEleney
Apparmor on Ubuntu Xenial will not permit containers to mount devices…
…, even with CAP SYS_ADMIN.

The issue is discussed here: moby/moby#9950
This patch resolves the issue.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment