/dev/loop* in systemd-nspawn
(too old to reply)
Miroslav Suchý
2017-08-22 08:54:21 UTC
Raw Message
is there a reason why systemd-nspawn does not create /dev/loop* files in container?
I am asking because of:

Lennart Poettering
2017-08-28 14:56:08 UTC
Raw Message
Post by Miroslav Suchý
is there a reason why systemd-nspawn does not create /dev/loop* files in container?
Well, block devices (and specifically loopback devices) aren't
properly virtualized for containers on Linux. Loopback devices live in
a single logical namespace, and are somewhat dynamic in character (due
to /dev/loop-control), which doesn't fit the namespaced container
concept well. Moreover block devices are not virtualizes in /sys,
hence discovery for them falls completely flat in containers.

We'd be happy to support them if the kernel would virtualize them
properly, but until then doing loopback devices in containers is both
a security hole and a messy API borkage I fear...

There were patches to permit multiple instances of /dev/loop-control
and friends to the kernel, but to my knowledge that never went

A hackish way out is to bind a specific device into the container via
--bind=/dev/loop7, but that's not more than a hack, since that means
the loopback device API is supported only partially, as the container
couldn't allocate new block devices and the device is never properly
"owned" by the container, as there simply is not container
concept. Moreover, code in the container can't really discover this
device automatically, since as mentioned /sys isn't virtualized.

Lennart Poettering, Red Hat