1 查询要挂载的物理硬盘和分区的块信息
查询硬盘信息
ls -al /dev/sdb
brw-rw---- 1 root disk 8, 16 Apr 29 10:58 /dev/sdb
查询分区信息
ls -al /dev/sdb1
brw-rw---- 1 root disk 8, 17 Apr 29 10:58 /dev/sdb1
得到sdb 的块编号是 8,16 ; sdb1的块编号是8,17
2 修改LXC的挂载权限
增加apparmor.profile
cp /etc/apparmor.d/lxc/lxc-default-with-mounting /etc/apparmor.d/lxc/lxc-default-blk-mounting
编辑新建的文件添加如下内容
nano /etc/apparmor.d/lxc/lxc-default-blk-mounting
# Do not load this file. Rather, load /etc/apparmor.d/lxc-containers, which
# will source all profiles under /etc/apparmor.d/lxc
profile lxc-default-blk-mounting flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/lxc/container-base>
# allow standard blockdevtypes.
# The concern here is in-kernel superblock parsers bringing down the
# host with bad data. However, we continue to disallow proc, sys, securityfs,
# etc to nonstandard locations.
# deny mount fstype=devpts,
# mount fstype=cgroup -> /sys/fs/cgroup/**,
mount fstype=ext*,
mount fstype=xfs,
mount fstype=btrfs,
}
3 编辑LXC的配置文件
添加如下信息
lxc.apparmor.profile: lxc-default-blk-mounting
lxc.cgroup2.devices.allow: b 8:16 rwm
lxc.cgroup2.devices.allow: b 8:17 rwm
lxc.autodev: 1
lxc.hook.autodev: /var/lib/lxc/101/mount_hook.sh
其中8:16及8:17为 步骤3.1获得的块信息。
其中/var/lib/lxc/101/mount_hook.sh,需要创建并赋执行权限。操作如下:
nano /var/lib/lxc/101/mount_hook.sh
写入
#!/bin/sh
mknod -m 777 ${LXC_ROOTFS_MOUNT}/dev/sdb b 8 16
mknod -m 777 ${LXC_ROOTFS_MOUNT}/dev/sdb1 b 8 17
赋执行权限
chmod +x /var/lib/lxc/101/mount_hook.sh
