0

I want to use mount command inside docker (kubernetes).

It is not allowed to make mount option when building, start running docker container.

I didn't wanted to give privilege permission, so I added capabilites (SYS_ADMIN and MKNOD). but AppArmor seems to block mount, so I unconfined apparmor and seccomp (not sure seccomp does block mount)

I only should add SYS_ADMIN and MKNOD but I added all capabilites (in case of other issues)

docker run -it --cap-add=ALL  --security-opt apparmor:unconfined --security-opt seccomp=unconfined ubuntu bash

after entering docker container, I tried those command but I still couldn't mount

mknod /dev/loop0 b 7 0
dd if=/dev/zero of=./test.img bs=1G count=1
mkfs.ext4 test.img
mkdir /home/worker/test
mount -o loop,ro test.img /home/worker/test

mount: /home/worker/test: mount failed: Operation not permitted.

I couldn't guess any more reasons, why mount is blocked. I searched and found some mount examples, and I successed mount --bind with those docker options, but bind mounting and mounting (with loop back option) are obviously different.

What should I see more?

Kyroo0
  • 39
  • 1
  • 6
  • 1
    Why do you actually want to do this? In a Kubernetes context, I'd normally expect mounts to be managed by the cluster infrastructure, and then mounted in your pod spec. If you can call mount(2) then, among other things, you can create a bind mount that would let you compromise the host. – David Maze Jul 22 '22 at 10:19
  • @DavidMaze Creating Pod and mounting process should be seperated. user could mount if they want so I am finding ways to mount inside pod. I know it could be critical to node, but still I need mounting inside pod – Kyroo0 Jul 25 '22 at 01:03

0 Answers0