[systemd-devel] systemd 219 fails to create and/or use loop devices (or any other device)
von Thadden, Joachim, SEVEN PRINCIPLES
joachim.von-thadden at 7p-group.com
Thu Nov 19 07:42:31 PST 2015
Hi,
using systemd 219-25 on Fedora 22 on a freshly created container I can not make any
device. Usage of --capability=CAP_MKNOD makes no difference.
Steps to reproduce:
[root at nbl ~]# machinectl pull-raw --verify=no
http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
[root at nbl ~]# systemd-nspawn --capability=CAP_MKNOD -M Fedora-Cloud-Base-20141203-21.x86_64
[root at Fedora-Cloud-Base-20141203-21 ~]# strace -f mknod /dev/loop0 b 7 0
mknod("/dev/loop0", S_IFBLK|0666, makedev(7, 0)) = -1 EPERM (Operation not permitted)
Also when bind-mounting e.g. /dev/loop-control and /dev/loop0 into the container I can not
use them.
[root at nbl ~]# systemd-nspawn --bind=/dev/loop-control:/dev/loop-control
--bind=/dev/loop0:/dev/loop0 --bind=/dev/loop1:/dev/loop1 --capability=CAP_MKNOD -M
Fedora-Cloud-Base-20141203-21.x86_64
[root at Fedora-Cloud-Base-20141203-21 ~]# losetup -a
/dev/loop0: []: (/var/lib/machines/Fedora-Cloud-Base-20141203-21.x86_64.raw)
[root at Fedora-Cloud-Base-20141203-21 ~]# strace -f losetup -f .bash_history
[...]
stat("/dev/loop-control", {st_mode=S_IFCHR|0660, st_rdev=makedev(10, 237), ...}) = 0
open("/dev/loop-control", O_RDWR|O_CLOEXEC) = -1 EPERM (Operation not permitted)
[...]
stat("/dev/loop1", {st_mode=S_IFBLK|0660, st_rdev=makedev(7, 1), ...}) = 0
stat("/dev/loop1", {st_mode=S_IFBLK|0660, st_rdev=makedev(7, 1), ...}) = 0
open("/sys/dev/block/7:1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
getcwd("/root", 4096) = 6
lstat("/root/.bash_history", {st_mode=S_IFREG|0600, st_size=322, ...}) = 0
open("/root/.bash_history", O_RDWR|O_CLOEXEC) = 3
open("/dev/loop1", O_RDWR|O_CLOEXEC) = -1 EPERM (Operation not permitted)
All of this worked with systemd-216 in Fedora 21. I know that with CAP_MKNOD and usage of
devices I am suffering from less isolation in the container - but this is intentionally
and for sure it must be possible to make a simle loop device.
Best regards
Joachim von Thadden
--
Joachim von Thadden
E-Mail: joachim.von-thadden at 7p-group.com
Web: www.7p-group.com
________________________________
Aufsichtsrat: Prof. Dr. h.c. Hans Albert Aukes
Vorstandsvorsitzender: Joseph Kronfli
Handelsregister: HRB 30660 | USt-ID-Nr.: DE197820124 | Steuer-Nr.: 218/5734/1640
Sitz der Gesellschaft: Köln | Registriergericht: Amtsgericht Köln
Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, beachten Sie bitte, dass jede Form der Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie sofort den Absender zu informieren und die E-Mail zu löschen.
The information contained in this e-mail is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately and destroy this e-mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: joachim_von-thadden.vcf
Type: text/x-vcard
Size: 756 bytes
Desc: joachim_von-thadden.vcf
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151119/c33dc34a/attachment.vcf>
More information about the systemd-devel
mailing list