forgejo/lxc-helpers
13
2
Fork 2
Code Issues 8 Pull requests 3 Actions Activity

Unable to Mount in LXC Container - Operation not Permitted #11

New issue
Open
opened 2023-11-21 12:04:19 +00:00 by cachito-worker · 2 comments
cachito-worker commented 2023-11-21 12:04:19 +00:00
Copy link

Issue Description:

I encountered an issue while attempting to mount a system image in an LXC container created using lxc-helpers, which is integrated into forgejo/act. Below is the sequence of commands I used:

curl -O https://dl.google.com/android/repository/sys-img/android/arm64-v8a-24_r07.zip
mkdir -p arm64-v8a-24_r07/mount
unzip arm64-v8a-24_r07.zip */system.img -d arm64-v8a-24_r07
sudo mount arm64-v8a-24_r07/arm64-v8a/system.img arm64-v8a-24_r07/mount

However, the last command resulted in the following error:

mount failed: Operation not permitted.

Issue Background:

I have been exploring solutions online but haven't found a definitive guide on configuring LXC, specifically when using lxc-helpers and forgejo/act, to allow the mounting operation. The goal is to understand how to properly configure LXC to enable successful mounting.

Request for Assistance:

I seek guidance on how to configure LXC, particularly when utilizing lxc-helpers and forgejo/act, to allow the mounting operation described above. Any insights, tips, or step-by-step instructions would be greatly appreciated. Additionally, if there are specific settings or configurations within lxc-helpers or forgejo/act that need adjustment to permit such operations, I would be grateful for the details.

### Issue Description: I encountered an issue while attempting to mount a system image in an LXC container created using [lxc-helpers](https://code.forgejo.org/forgejo/lxc-helpers), which is integrated into [forgejo/act](https://code.forgejo.org/forgejo/act). Below is the sequence of commands I used: ``` curl -O https://dl.google.com/android/repository/sys-img/android/arm64-v8a-24_r07.zip mkdir -p arm64-v8a-24_r07/mount unzip arm64-v8a-24_r07.zip */system.img -d arm64-v8a-24_r07 sudo mount arm64-v8a-24_r07/arm64-v8a/system.img arm64-v8a-24_r07/mount ``` However, the last command resulted in the following error: ``` mount failed: Operation not permitted. ``` ### Issue Background: I have been exploring solutions online but haven't found a definitive guide on configuring LXC, specifically when using [lxc-helpers](https://code.forgejo.org/forgejo/lxc-helpers) and [forgejo/act](https://code.forgejo.org/forgejo/act), to allow the mounting operation. The goal is to understand how to properly configure LXC to enable successful mounting. ### Request for Assistance: I seek guidance on how to configure LXC, particularly when utilizing lxc-helpers and forgejo/act, to allow the mounting operation described above. Any insights, tips, or step-by-step instructions would be greatly appreciated. Additionally, if there are specific settings or configurations within lxc-helpers or forgejo/act that need adjustment to permit such operations, I would be grateful for the details.
earl-warren commented 2023-12-01 15:28:31 +00:00
Owner
Copy link

Even though I get a different error, I confirm this is not working.

I created a fresh container

lxc-helpers.sh lxc_container_create mytest
lxc-helpers.sh lxc_container_start mytest
lxc-helpers.sh lxc_container_run mytest bash

and then

#  curl -O https://dl.google.com/android/repository/sys-img/android/arm64-v8a-24_r07.zip
#  apt-get update ; apt-get install -y curl
#  curl -O https://dl.google.com/android/repository/sys-img/android/arm64-v8a-24_r07.zip
#  unzip arm64-v8a-24_r07.zip */system.img -d arm64-v8a-24_r07
#  apt-get install unzip
#  unzip arm64-v8a-24_r07.zip */system.img -d arm64-v8a-24_r07
#  mount arm64-v8a-24_r07/arm64-v8a/system.img arm64-v8a-24_r07/mount
mount: arm64-v8a-24_r07/mount: failed to setup loop device for /arm64-v8a-24_r07/arm64-v8a/system.img.

Verified /var/lib/lxc/mytest/config has loop device capabilities.

# Template used to create this container: /usr/share/lxc/templates/lxc-debian
# Parameters passed to the template: --release=bookworm
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:8d:a1:ba
# Common configuration
lxc.include = /usr/share/lxc/config/debian.common.conf
# Container specific configuration
lxc.tty.max = 4
lxc.arch = amd64
lxc.pty.max = 1024
lxc.apparmor.profile = unconfined
lxc.rootfs.path = dir:/var/lib/lxc/mytest/rootfs
lxc.uts.name = mytest
#
# include cap config snippet
#
lxc.cap.drop =
#
# include fuse config snippet
#
#
# /dev/fuse
#
lxc.cgroup2.devices.allow = b 10:229 rwm
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0
#
# include kvm config snippet
#
#
# /dev/kvm
#
lxc.cgroup2.devices.allow = c 10:232 rwm
lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0
#
# include loop config snippet
#
#
# /dev/loop
#
lxc.cgroup2.devices.allow = c 10:237 rwm
lxc.cgroup2.devices.allow = b 7:* rwm
lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0
#
# include mapper config snippet
#
#
# /dev/mapper
#
lxc.cgroup2.devices.allow = c 10:236 rwm
lxc.mount.entry = /dev/mapper dev/mapper none bind,create=dir 0 0
#
# include nesting config snippet
#
security.nesting = true
#
# include net config snippet
#
#
# /dev/net
#
lxc.cgroup2.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0
Even though I get a different error, I confirm this is not working. --- I created a fresh container ```sh lxc-helpers.sh lxc_container_create mytest lxc-helpers.sh lxc_container_start mytest lxc-helpers.sh lxc_container_run mytest bash ``` and then ```sh # curl -O https://dl.google.com/android/repository/sys-img/android/arm64-v8a-24_r07.zip # apt-get update ; apt-get install -y curl # curl -O https://dl.google.com/android/repository/sys-img/android/arm64-v8a-24_r07.zip # unzip arm64-v8a-24_r07.zip */system.img -d arm64-v8a-24_r07 # apt-get install unzip # unzip arm64-v8a-24_r07.zip */system.img -d arm64-v8a-24_r07 # mount arm64-v8a-24_r07/arm64-v8a/system.img arm64-v8a-24_r07/mount mount: arm64-v8a-24_r07/mount: failed to setup loop device for /arm64-v8a-24_r07/arm64-v8a/system.img. ``` Verified `/var/lib/lxc/mytest/config` has loop device capabilities. ``` # Template used to create this container: /usr/share/lxc/templates/lxc-debian # Parameters passed to the template: --release=bookworm # For additional config options, please look at lxc.container.conf(5) # Uncomment the following line to support nesting containers: #lxc.include = /usr/share/lxc/config/nesting.conf # (Be aware this has security implications) lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = 00:16:3e:8d:a1:ba # Common configuration lxc.include = /usr/share/lxc/config/debian.common.conf # Container specific configuration lxc.tty.max = 4 lxc.arch = amd64 lxc.pty.max = 1024 lxc.apparmor.profile = unconfined lxc.rootfs.path = dir:/var/lib/lxc/mytest/rootfs lxc.uts.name = mytest # # include cap config snippet # lxc.cap.drop = # # include fuse config snippet # # # /dev/fuse # lxc.cgroup2.devices.allow = b 10:229 rwm lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0 # # include kvm config snippet # # # /dev/kvm # lxc.cgroup2.devices.allow = c 10:232 rwm lxc.mount.entry = /dev/kvm dev/kvm none bind,create=file 0 0 # # include loop config snippet # # # /dev/loop # lxc.cgroup2.devices.allow = c 10:237 rwm lxc.cgroup2.devices.allow = b 7:* rwm lxc.mount.entry = /dev/loop-control dev/loop-control none bind,create=file 0 0 # # include mapper config snippet # # # /dev/mapper # lxc.cgroup2.devices.allow = c 10:236 rwm lxc.mount.entry = /dev/mapper dev/mapper none bind,create=dir 0 0 # # include nesting config snippet # security.nesting = true # # include net config snippet # # # /dev/net # lxc.cgroup2.devices.allow = c 10:200 rwm lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0 ```
earl-warren commented 2023-12-01 16:32:29 +00:00
Owner
Copy link

#13 will fix this. A workaround could be to manually add the /dev/loopN mounts to /var/lib/lxc/mytest/config.

https://code.forgejo.org/forgejo/lxc-helpers/pulls/13 will fix this. A workaround could be to manually add the /dev/loopN mounts to `/var/lib/lxc/mytest/config`.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Reference: forgejo/lxc-helpers#11
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?