Docker Community Forums

Share and learn in the Docker community.

Unable to mount /sys inside the container with rw access in unprivileged mode

I would need to mount /sys inside the container with rw access, in the privileged mode it is by default mounting with rw access but with unprivileged mode it is mounting with ro access.

any idea how to get /sys mounted with rw access on the unprivileged mode?

Belated answer but hope it helps.

For unprivileged containers (i.e., those without the --privileged flag), Docker mounts /sys in the container as read-only. I don’t believe there is a way to change this behavior.

Having said this, take a look at Sysbox. It’s a new type of runc that integrates with Docker and creates “VM-like” containers. It mount /sys as read-write because the containers are rootless and is capable of emulating portions of /sys (as well as /proc).

For example:

$ docker run --runtime=sysbox-runc -it ubuntu

root@0553826001e3:/# mount | grep sysfs
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)

root@0553826001e3:/# cat /proc/self/uid_map 
         0     165536      65536

The first instruction shows sysfs is mounted as read-write, and the second shows the container is in rootless mode.

Hope that helps!

Steps to reproduce the issue:

Apply pod yaml as specified later
See the container has sysfs mounted as read-only despite being privileged
Describe the results you received:

sysfs mounted as ro

Describe the results you expected:

sysfs mounted as rw

Output of containerd --version:

containerd github.com/containerd/containerd 1.2.5 bb71b10fd8f58240ca47fbb579b9d1028eea7c84
** uname -a **

device in question in beaglebone black.
Linux ads0903 4.19.25-ti-r11 #1bionic SMP PREEMPT Wed Feb 27 10:18:01 UTC 2019 armv7l armv7l armv7l GNU/Linux

Here are provided pod yaml, the result of crictl inspect and running mount command within the container.

Pod Yaml:

apiVersion: v1
kind: Pod
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{“apiVersion”:“v1”,“kind”:“Pod”,“metadata”:{“annotations”:{},“labels”:{“app”:“modbus”},“name”:“ads0903-modbus”,“namespace”:“ascalia-prod”,“ownerReferences”:[{“apiVersion”:“ascalia.io/v1alpha1",“blockOwnerDeletion”:true,“controller”:true,“kind”:“Modbus”,“name”:“ads0903”,“uid”:“502a8764-5c46-11e9-a41a-525400d4e658”}]},“spec”:{“containers”:[{“args”:["-c","/app/config.yaml"],“image”:“git.krakensystems.co:4567/ascalia/drone-modbus:master-0c9935e6”,“imagePullPolicy”:“IfNotPresent”,“name”:“modbus”,“resources”:{“limits”:{“cpu”:“100m”,“memory”:“100M”},“requests”:{“cpu”:“10m”,“memory”:“10M”}},“securityContext”:{“privileged”:true},“terminationMessagePath”:"/dev/termination-log",“terminationMessagePolicy”:“File”,“volumeMounts”:[{“mountPath”:"/app/config.yaml",“name”:“config”,“readOnly”:true,“subPath”:“config.yaml”},{“mountPath”:"/dev/ttyO1",“name”:“tty”}]}],“dnsPolicy”:“ClusterFirst”,“enableServiceLinks”:true,“imagePullSecrets”:[{“name”:“git”}],“nodeName”:“ads0903”,“priority”:0,“restartPolicy”:“Always”,“schedulerName”:“default-scheduler”,“securityContext”:{“runAsNonRoot”:false},“serviceAccount”:“default”,“serviceAccountName”:“default”,“terminationGracePeriodSeconds”:30,“tolerations”:[{“effect”:“NoExecute”,“key”:“node.kubernetes.io/not-ready”,“operator”:“Exists”,“tolerationSeconds”:300},{“effect”:“NoExecute”,“key”:“node.kubernetes.io/unreachable”,“operator”:“Exists”,“tolerationSeconds”:300}],“volumes”:[{“hostPath”:{“path”:"/dev/ttyO1",“type”:“CharDevice”},“name”:“tty”},{“configMap”:{“defaultMode”:420,“name”:“ads0903-modbus”},“name”:“config”}]},“status”:{“conditions”:[{“lastProbeTime”:null,“lastTransitionTime”:“2019-04-17T13:03:11Z”,“status”:“True”,“type”:“Initialized”},{“lastProbeTime”:null,“lastTransitionTime”:“2019-04-17T13:03:21Z”,“status”:“True”,“type”:“Ready”},{“lastProbeTime”:null,“lastTransitionTime”:“2019-04-17T13:03:21Z”,“status”:“True”,“type”:“ContainersReady”},{“lastProbeTime”:null,“lastTransitionTime”:“2019-04-17T13:03:11Z”,“status”:“True”,“type”:“PodScheduled”}],“containerStatuses”:[{“containerID”:“containerd://327517806331baacd7b318ceeaa3857e872788ceb73f26f21956d98a0d19e48c”,“image”:“git.krakensystems.co:4567/ascalia/drone-modbus:master-0c9935e6”,“imageID”:“git.krakensystems.co:4567/ascalia/drone-modbus@sha256:e962486857cd12a99a58e7218464090b07a4d8db5505e22d1d61ee328bacff98”,“lastState”:{},“name”:“modbus”,“ready”:true,“restartCount”:0,“state”:{“running”:{“startedAt”:“2019-04-17T13:03:20Z”}}}],“hostIP”:“10.100.0.6”,“phase”:“Running”,“podIP”:“10.101.6.29”,“qosClass”:“Burstable”,“startTime”:"2019-04-17T13:03:11Z”}}
kubernetes.io/psp: privileged
creationTimestamp: “2019-04-17T13:27:39Z”
labels:
app: modbus
name: ads0903-modbus
namespace: ascalia-prod
ownerReferences:

  • apiVersion: ascalia.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: Modbus
    name: ads0903
    uid: 502a8764-5c46-11e9-a41a-525400d4e658
    resourceVersion: “6399389”
    selfLink: /api/v1/namespaces/ascalia-prod/pods/ads0903-modbus
    uid: 9259a5a5-6114-11e9-b2e1-52540046c7f4
    spec:
    containers:
  • args:
    • -c
    • /app/config.yaml
      image: git.krakensystems.co:4567/ascalia/drone-modbus:master-0c9935e6
      imagePullPolicy: IfNotPresent
      name: modbus
      resources:
      limits:
      cpu: 100m
      memory: 100M
      requests:
      cpu: 10m
      memory: 10M
      securityContext:
      privileged: true
      procMount: Default
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      volumeMounts:
    • mountPath: /app/config.yaml
      name: config
      readOnly: true
      subPath: config.yaml
    • mountPath: /dev/ttyO1
      name: tty
      dnsPolicy: ClusterFirst
      enableServiceLinks: true
      imagePullSecrets:
  • name: git
    nodeName: ads0903
    priority: 0
    restartPolicy: Always
    schedulerName: default-scheduler
    securityContext:
    runAsNonRoot: false
    serviceAccount: default
    serviceAccountName: default
    terminationGracePeriodSeconds: 30
    tolerations:
  • effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  • effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
    volumes:
  • hostPath:
    path: /dev/ttyO1
    type: CharDevice
    name: tty
  • configMap:
    defaultMode: 420
    name: ads0903-modbus
    name: config
    status:
    conditions:
  • lastProbeTime: null
    lastTransitionTime: “2019-04-17T13:27:39Z”
    status: “True”
    type: Initialized
  • lastProbeTime: null
    lastTransitionTime: “2019-04-17T13:27:49Z”
    status: “True”
    type: Ready
  • lastProbeTime: null
    lastTransitionTime: “2019-04-17T13:27:49Z”
    status: “True”
    type: ContainersReady
  • lastProbeTime: null
    lastTransitionTime: “2019-04-17T13:27:39Z”
    status: “True”
    type: PodScheduled
    containerStatuses:
  • containerID: containerd://cabf8cd0b043948c372b159cff8bd770f7d59ab8b91d2cf58a57120347431bd8
    image: git.krakensystems.co:4567/ascalia/drone-modbus:master-0c9935e6
    imageID: git.krakensystems.co:4567/ascalia/drone-modbus@sha256:e962486857cd12a99a58e7218464090b07a4d8db5505e22d1d61ee328bacff98
    lastState: {}
    name: modbus
    ready: true
    restartCount: 0
    state:
    running:
    startedAt: “2019-04-17T13:27:48Z”
    hostIP: 10.100.0.6
    phase: Running
    podIP: 10.101.6.31
    qosClass: Burstable
    startTime: “2019-04-17T13:27:39Z”