Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to mount an ISO inside a docker container? [closed]

I am using a docker container (based on the official centos:6.4 image) to build an ISO which I then need to mount and verify. I am unable to mount the ISO using:

sudo mount -o loop /path/to/iso /mnt

Gives:

mount: Could not find any loop device. Maybe this kernel does not know
   about the loop device? (If so, recompile or `modprobe loop'.)

It looks like the kernel has been compiled without loop device support. Is it possible to build docker images which support loop devices? I couldn't find any information on this, however, looking at this thread it seems that this may be an ongoing topic.

I wonder if there is a way to circumvent this limitation?

like image 278
pxul Avatar asked Feb 25 '14 23:02

pxul


People also ask

Can docker run ISO?

If you got an ISO file which content you would like to use as a root file system inside a docker container, then docker does not support directly. You need to convert the ISO image into a docker image first.

Can I run docker command inside container?

To run docker inside docker, all you have to do it just run docker with the default Unix socket docker. sock as a volume. Just a word of caution: If your container gets access to docker. sock , it means it has more privileges over your docker daemon.

Can we run each app in an isolated container in the docker?

The Docker platformDocker provides the ability to package and run an application in a loosely isolated environment called a container. The isolation and security allows you to run many containers simultaneously on a given host.


2 Answers

To mount an ISO inside a container, you need two things:

  • access to loop devices,
  • permission to mount filesystems.

By default, Docker locks down both things; that's why you get that error message.

The easiest solution is to start the container in privileged mode:

docker run --privileged ...

A more fine-grained solution is to dive down into the devices cgroup and container capabilities to give the required permissions.

Note that you cannot execute privileged operations as part of a Dockerfile; i.e. if you need to mount that ISO in a Dockerfile, you won't be able to do it.

However, I recommend that you have a look at Xorriso and specifically the osirrox tool , which lets you extract files from ISO images just like you would extract a tar file, without requiring any kind of special access, e.g.:

osirrox -indev /path/to/iso -extract / /full-iso-contents
like image 157
jpetazzo Avatar answered Sep 23 '22 13:09

jpetazzo


I have a feeling this is not a good way to solve my issue, but this is what I have done for the time being, until a more sane idea presents itself.

My container starts into bash, from this shell I am able to add loop devices using:

# mknod /dev/loop0 -m0660 b 7 0
# mknod /dev/loop1 -m0660 b 7 1
...
# mknod /dev/loop9 -m0660 b 7 9

and now, I have loop devices available, so I am able to mount an ISO. However, I noticed that the first available loop device for me was /dev/loop2:

bash-4.1# losetup -f
/dev/loop2

this implies that loop0 and loop1 are already in use, this is confirmed by:

bash-4.1# losetup -a
/dev/loop0: [fd00]:1978974 (/dev/loop0)
/dev/loop1: [fd00]:1978975 (/dev/loop1)
/dev/loop2: [fd00]:2369514 (/path/to/my/iso)

and, this is why I think this solution is bad, from outside the container:

12:36:02 $ losetup -a
/dev/loop0: []: (/var/lib/docker/devicemapper/devicemapper/data)
/dev/loop1: []: (/var/lib/docker/devicemapper/devicemapper/metadata)
/dev/loop2: []: (/path/to/my/iso)

So it looks like the first 2 loop devices I created in the container mapped to loop0 and loop1 outside of the container, which is why they were not available for use. I guess there must be a way of setting up these devices with devicemapper (which is being used by docker, by the looks) but I've not been able to turn up much info on this.

For the time being, this solution will be okay for me - I'll just have to be careful to remember to umount the image when I'm finished with it.

I'm aware that this is far from a sane solution, so if anyone else can come up with a better plan I'm all ears.

like image 42
pxul Avatar answered Sep 25 '22 13:09

pxul