我正在尝试在 LXC 容器内设置 MaaS 服务器。
当我导入 PXE 文件时,它需要能够安装环路设备。
我已经在容器配置文件中设置了以下选项以允许循环挂载,但我遗漏了一些东西。
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm
由于脚本无法循环挂载文件,因此出现以下错误:
mount: cannot mount block device /dev/loop0 read-only
Wed, 13 Nov 2013 07:26:41 +0000: failed to mount /var/lib/maas/ephemeral/precise/ephemeral/i386/20131010/disk.img
Traceback (most recent call last):
File "/usr/sbin/maas-import-ephemerals", line 26, in <module>
main(args)
File "/usr/lib/python2.7/dist-packages/provisioningserver/import_images/ephemerals_script.py", line 428, in main
target.sync(source, args.path)
File "/usr/lib/python2.7/dist-packages/simplestreams/mirrors/__init__.py", line 85, in sync
return self.sync_index(reader, path, data, content)
File "/usr/lib/python2.7/dist-packages/simplestreams/mirrors/__init__.py", line 237, in sync_index
self.sync(reader, path=epath)
File "/usr/lib/python2.7/dist-packages/simplestreams/mirrors/__init__.py", line 83, in sync
return self.sync_products(reader, path, data, content)
File "/usr/lib/python2.7/dist-packages/simplestreams/mirrors/__init__.py", line 315, in sync_products
self.insert_item(item, src, target, pgree, ipath_cs)
File "/usr/lib/python2.7/dist-packages/provisioningserver/import_images/ephemerals_script.py", line 251, in insert_item
self.extract_item(path, flat)
File "/usr/lib/python2.7/dist-packages/provisioningserver/import_images/ephemerals_script.py", line 295, in extract_item
tarball, target_dir, temp_location=self._simplestreams_path())
File "/usr/lib/python2.7/dist-packages/provisioningserver/import_images/ephemerals_script.py", line 124, in extract_image_tarball
call_uec2roottar(image, os.path.join(target_dir, 'dist-root.tar.gz'))
File "/usr/lib/python2.7/dist-packages/provisioningserver/import_images/ephemerals_script.py", line 97, in call_uec2roottar
subprocess.check_call(["uec2roottar"] + list(args))
File "/usr/lib/python2.7/subprocess.py", line 540, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '[u'uec2roottar', u'/var/lib/maas/ephemeral/precise/ephemeral/i386/20131010/disk.img', u'/var/lib/maas/ephemeral/precise/ephemeral/i386/20131010/dist-root.tar.gz']' returned non-zero exit status 1
root@maaslxc2:~# mount /dev/loop0 /mnt
mount: block device /dev/loop0 is write-protected, mounting read-only
mount: cannot mount block device /dev/loop0 read-only
那么,我需要在容器的配置中更改什么以允许它安装循环设备?看来这不仅仅是一个 MaaS 问题,而是一个限制,它会给任何需要在 LXC 容器中循环安装文件的东西(不仅仅是 MaaS)带来麻烦。
答案1
您遇到的问题与 apparmor 有关。 'dmesg'可能会向您显示类似的内容:
[ 4822.366235] type=1400 audit(1384973058.254:52): apparmor="DENIED" operation="mount"
info="failed type match" error=-13 parent=1272 profile="lxc-container-default"
name="/mnt/" pid=1273 comm="mount" fstype="ext4" srcname="/dev/loop0/" flags="ro"
您可以通过两种方式之一允许 lxc 容器挂载 ext2、ext3 或 ext4 文件系统。最简单的方法是将以下内容添加到 lxc 配置 ( /var/lib/lxc/$NAME/config):
lxc.aa_profile = unconfined
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm
一个更加严格但仍能授予必要权限的解决方案是执行以下操作:
$ sudo tee /etc/apparmor.d/lxc/lxc-custom-mounts <<EOF
# copied and modified from /etc/apparmor.d/lxc/lxc-default
profile lxc-container-extx-mounts flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
mount fstype=ext4 -> /**,
mount fstype=ext3 -> /**,
mount fstype=ext2 -> /**,
}
EOF
# reload the lxc-containers profile
$ sudo apparmor_parser --replace /etc/apparmor.d/lxc-containers
$ sudo lxc-create -t ubuntu-cloud -n source-saucy-amd64 -- --release=saucy --arch=amd64
$ name="test1"
$ cfg=/var/lib/lxc/$name/config;
$ sudo lxc-clone -o source-saucy-amd64 -n "$name"
## modify the config to use the profile created above
$ sudo grep "#allow-loop" "$cfg" || sudo tee -a "$cfg" <<EOF
#allow-loop
lxc.aa_profile = lxc-container-extx-mounts
lxc.cgroup.devices.allow = b 7:* rwm
lxc.cgroup.devices.allow = c 10:237 rwm
EOF
然后,你可以用如下简单的方法验证它是否在容器中工作:
$ truncate --size 100M my.img
$ mkfs.ext4 -F my.img
$ sudo mount -o loop,ro my.img /mnt
$ ls /mnt
lost+found
$ sudo umount /mnt
我刚刚打开错误 1257389解决这个问题。希望很快 maas-import-ephemerals将要在容器内工作。