mount syscall

[piranna]

When trying to use the mount syscall to mount a filesystem image I get the next error:

Trace: { [Error: EPERM, Operation not permitted '/work/out/latest']
  errno: 1,
  code: 'EPERM',
  path: '/work/out/latest',
  syscall: 'mount' }
    at onerror (/lib/node_modules/nodeos-mount-filesystems/index.js:34:13)
    at /lib/node_modules/nodeos-mount-filesystems/index.js:297:26

Could it be possible I can't be able to use the mount syscall from inside vagga? And if so, what alternatives do I have? I know I can be able to set a volume, but they are only mapping to a host folder and don't allow to mount disk images. I could live with this, but can I be able later to use mount bind and mount move from inside vagga? NodeOS use them to create a clean filesystem hierarchy... :-/

[tailhook]

Well mount syscall works. Bind mounts should work, but are subject of some restrictions. I can do mount --bind and mount --move in vagga _build_shell but can't in command run by vagga. Anyway, vagga in vagga works (I use it for tests), and vagga uses bind mounts a lot. So I should just refresh in memory what the restrictions are.

And as far as I know you can't mount block device because the user that runs vagga is still that user, so kernel doesn't trust him to read block devices.

[piranna]

Well mount syscall works. Bind mounts should work, but are subject of some restrictions. I can do mount --bind and mount --move in vagga _build_shell but can't in command run by vagga. Anyway, vagga in vagga works (I use it for tests), and vagga uses bind mounts a lot. So I should just refresh in memory what the restrictions are.

Good to know :-) Do you remind if move works too?

And as far as I know you can't mount block device because the user that runs vagga is still that user, so kernel doesn't trust him to read block devices.

It's not a block device but a filesystem image. As far as I know, now it's not required to create a loop device to mount them and can be used directly, isn't it?

[tailhook]

Good to know :-) Do you remind if move works too?

Yes. It works.

It's not a block device but a filesystem image. As far as I know, now it's not required to create a loop device to mount them and can be used directly, isn't it?

As far as I know you use loop device even if not specified explicitly (http://unix.stackexchange.com/a/66079/96831). So I believe you can't. I've tried to get loop device working a year ago or so without a success. I don't know if anything changed yet. Probably not.

[piranna]

Seems OverlayFS doesn't work, too... :-/ That's a shame, because NodeOS use it extensively (one of them for each user) :-( I suppose FUSE-based filesystems will have these problems too, isn't it?

[piranna]

Seems Docker now support to mount FUSE filesystems by combining capabilities and device mapping. Would this be possible to implement on vagga?

Also seems that by using the volumes options it's possible to map a single file (not a full directory) and use it directly, so it would be possible to "pass" a disk image and mount it from inside the container. Is this feasable with vagga, or there would be some drawbacks?

[tailhook]

Seems Docker now support to mount FUSE filesystems by combining capabilities and device mapping. Would this be possible to implement on vagga?

While it's not impossible it's hard to implement. AFAIR, you need to run fusermount in the host, and pass the file descriptor to it from a container.

Also seems that by using the volumes options it's possible to map a single file (not a full directory) and use it directly, so it would be possible to "pass" a disk image and mount it from inside the container. Is this feasable with vagga, or there would be some drawbacks?

Probably no, because to mount a file to use as disk image you need a loop device, not a file itself (just mount utility hides it for you). And mounting loopfs is disabled for non-root because kernel developers do not trust filesystem drivers (i.e. there can be a specially crafted image which exhausts resources of whole system).

By the way, OverlayFS should work on ubuntu kernel (it has a patch).

[tailhook]

Should work out of the box now, given that #239 is merged. As of vagga v0.5.0-142-g618cf0b

[piranna]

That's cool! I'll try to find time to check it. Thanks! :-D

[piranna]

How could this be used? Are the docs updated?

[tailhook]

I'm not sure that we have ever mentioned about mounts in docs. What needs to be updates? (if you having troubles, with running mount, there is still old version of vagga in vagga-testing repo, I have troubles with buildbot)

[piranna]

I'll get in touch with you when I get time to check it, thanks :-)

[rainboh]

Can someone confirm if running mount inside container to mount a loop device should work now.

Inside container I'm only able to:

/work# losetup -P /dev/loop1 test.img
/work# blkid
/dev/loop1: UUID="ed4a676a-6915-4e8d-896f-47fcc3b0a828" TYPE="ext4"

But mounting fails with:

/work# mount /dev/loop1 mnt/
mount: /work/mnt: permission denied.