You are not logged in.
I am trying to setup systemd-nspawn container so I can experiment building different Google Cloud Platform Arch Linux images without adding extra packages to my Arch system. build-arch-gce script uses losetup to create a temporary loop device to build an image. After setting up a container using machinectl (i.e. using namespacing) and running the script inside it I got the following error:
losetup: cannot find an unused loop deviceThis is because device nodes can not be created within container by default. A note on systemd-nspawn man page:
systemd-nspawn limits access to various kernel interfaces in the container to read-only, such as /sys, /proc/sys or /sys/fs/selinux. Network interfaces and the system clock may not be changed from within the container. Device nodes may not be created. The host system cannot be rebooted and kernel modules may not be loaded from within the container.
Looking on the web I found similar issue at loop device in a Linux container? - Server Fault. It recommends adding capability CAP_MKNOD in order to be able to create loop devices. Since I use machinectl - I added capability to my .nspawn file:
/etc/systemd/nspawn/gcloud.nspawn
---
[Exec]
Capability=CAP_MKNOD
[Network]
VirtualEthernet=onRestarting the container and trying sudo ./build-arch-gce gave me the same error:
losetup: cannot find an unused loop deviceChecking for capability with sudo pscap inside the container I can see mknod and even sys_admin, so capability seems to have been added. Then I tried to create a loop device:
# mknod /dev/loop0 b 7 0
mknod: /dev/loop0: Operation not permittedI looked a bit further and found another person on StackOverflow who noted that in addition to giving --capability=CAP_MKNOD he had to set DeviceAllow=block-loop rwm in the systemd-nspawn unit to make it work:
# systemctl edit systemd-nspawn@gcloud
---
DeviceAllow=/dev/loop-control rwm
DeviceAllow=block-loop rwm
DeviceAllow=block-blkext rwm
# systemctl daemon-reloadUnfortunately, that didn't help as well. Permissions were still not given to create a loop device.
I also tried bind mounting /dev/loop-control, but since systemd-nspawn@ template contains -U option to turn on user namespaces it makes rw bind mounts almost impossible - so even in case of success, read-only loop device won't be of much use.
Is there something I am missing here? Any advice or guidance would be much appreciated!
Last edited by romstor (2022-04-11 02:52:40)
Offline
bump
Hitchhacker's Guide to the Galaxy: “Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws.”
If you didn't know you are backdoored, you are backdoored.
Offline
Don't do that...
https://wiki.archlinux.org/title/Genera … es#Bumping
Offline