[systemd-devel] /dev/loop* in systemd-nspawn

Lennart Poettering lennart at poettering.net
Mon Aug 28 14:56:08 UTC 2017


On Di, 22.08.17 10:54, Miroslav Suchý (msuchy at redhat.com) wrote:

> Hi,
> is there a reason why systemd-nspawn does not create /dev/loop* files in container?
> I am asking because of:
>   https://github.com/rpm-software-management/mock/pull/107

Well, block devices (and specifically loopback devices) aren't
properly virtualized for containers on Linux. Loopback devices live in
a single logical namespace, and are somewhat dynamic in character (due
to /dev/loop-control), which doesn't fit the namespaced container
concept well. Moreover block devices are not virtualizes in /sys,
hence discovery for them falls completely flat in containers.

We'd be happy to support them if the kernel would virtualize them
properly, but until then doing loopback devices in containers is both
a security hole and a messy API borkage I fear...

There were patches to permit multiple instances of /dev/loop-control
and friends to the kernel, but to my knowledge that never went
anywhere...

A hackish way out is to bind a specific device into the container via
--bind=/dev/loop7, but that's not more than a hack, since that means
the loopback device API is supported only partially, as the container
couldn't allocate new block devices and the device is never properly
"owned" by the container, as there simply is not container
concept. Moreover, code in the container can't really discover this
device automatically, since as mentioned /sys isn't virtualized.

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list