I am using a docker container (based on the official centos:6.4 image) to build an ISO which I then need to mount and verify. I am unable to mount the ISO using:
sudo mount -o loop /path/to/iso /mnt
Gives:
mount: Could not find any loop device. Maybe this kernel does not know
about the loop device? (If so, recompile or `modprobe loop'.)
It looks like the kernel has been compiled without loop device support. Is it possible to build docker images which support loop devices? I couldn't find any information on this, however, looking at this thread it seems that this may be an ongoing topic.
I wonder if there is a way to circumvent this limitation?
If you got an ISO file which content you would like to use as a root file system inside a docker container, then docker does not support directly. You need to convert the ISO image into a docker image first.
To run docker inside docker, all you have to do it just run docker with the default Unix socket docker. sock as a volume. Just a word of caution: If your container gets access to docker. sock , it means it has more privileges over your docker daemon.
The Docker platformDocker provides the ability to package and run an application in a loosely isolated environment called a container. The isolation and security allows you to run many containers simultaneously on a given host.
To mount an ISO inside a container, you need two things:
By default, Docker locks down both things; that's why you get that error message.
The easiest solution is to start the container in privileged mode:
docker run --privileged ...
A more fine-grained solution is to dive down into the devices cgroup and container capabilities to give the required permissions.
Note that you cannot execute privileged operations as part of a Dockerfile; i.e. if you need to mount that ISO in a Dockerfile, you won't be able to do it.
However, I recommend that you have a look at Xorriso and specifically the osirrox tool , which lets you extract files from ISO images just like you would extract a tar file, without requiring any kind of special access, e.g.:
osirrox -indev /path/to/iso -extract / /full-iso-contents
I have a feeling this is not a good way to solve my issue, but this is what I have done for the time being, until a more sane idea presents itself.
My container starts into bash, from this shell I am able to add loop devices using:
# mknod /dev/loop0 -m0660 b 7 0
# mknod /dev/loop1 -m0660 b 7 1
...
# mknod /dev/loop9 -m0660 b 7 9
and now, I have loop devices available, so I am able to mount an ISO. However, I noticed that the first available loop device for me was /dev/loop2
:
bash-4.1# losetup -f
/dev/loop2
this implies that loop0 and loop1 are already in use, this is confirmed by:
bash-4.1# losetup -a
/dev/loop0: [fd00]:1978974 (/dev/loop0)
/dev/loop1: [fd00]:1978975 (/dev/loop1)
/dev/loop2: [fd00]:2369514 (/path/to/my/iso)
and, this is why I think this solution is bad, from outside the container:
12:36:02 $ losetup -a
/dev/loop0: []: (/var/lib/docker/devicemapper/devicemapper/data)
/dev/loop1: []: (/var/lib/docker/devicemapper/devicemapper/metadata)
/dev/loop2: []: (/path/to/my/iso)
So it looks like the first 2 loop devices I created in the container mapped to loop0 and loop1 outside of the container, which is why they were not available for use. I guess there must be a way of setting up these devices with devicemapper (which is being used by docker, by the looks) but I've not been able to turn up much info on this.
For the time being, this solution will be okay for me - I'll just have to be careful to remember to umount
the image when I'm finished with it.
I'm aware that this is far from a sane solution, so if anyone else can come up with a better plan I'm all ears.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With