Is it possible to mount an ISO inside a docker container? [closed]

To mount an ISO inside a container, you need two things:

• access to loop devices,
• permission to mount filesystems.

By default, Docker locks down both things; that's why you get that error message.

The easiest solution is to start the container in privileged mode:

docker run --privileged ...

A more fine-grained solution is to dive down into the devices cgroup and container capabilities to give the required permissions.

Note that you cannot execute privileged operations as part of a Dockerfile; i.e. if you need to mount that ISO in a Dockerfile, you won't be able to do it.

However, I recommend that you have a look at Xorriso and specifically the osirrox tool , which lets you extract files from ISO images just like you would extract a tar file, without requiring any kind of special access, e.g.:

osirrox -indev /path/to/iso -extract / /full-iso-contents

I have a feeling this is not a good way to solve my issue, but this is what I have done for the time being, until a more sane idea presents itself.

My container starts into bash, from this shell I am able to add loop devices using:

# mknod /dev/loop0 -m0660 b 7 0# mknod /dev/loop1 -m0660 b 7 1...# mknod /dev/loop9 -m0660 b 7 9

and now, I have loop devices available, so I am able to mount an ISO. However, I noticed that the first available loop device for me was /dev/loop2:

bash-4.1# losetup -f/dev/loop2

this implies that loop0 and loop1 are already in use, this is confirmed by:

bash-4.1# losetup -a/dev/loop0: [fd00]:1978974 (/dev/loop0)/dev/loop1: [fd00]:1978975 (/dev/loop1)/dev/loop2: [fd00]:2369514 (/path/to/my/iso)

and, this is why I think this solution is bad, from outside the container:

12:36:02 $ losetup -a/dev/loop0: []: (/var/lib/docker/devicemapper/devicemapper/data)/dev/loop1: []: (/var/lib/docker/devicemapper/devicemapper/metadata)/dev/loop2: []: (/path/to/my/iso)

So it looks like the first 2 loop devices I created in the container mapped to loop0 and loop1 outside of the container, which is why they were not available for use. I guess there must be a way of setting up these devices with devicemapper (which is being used by docker, by the looks) but I've not been able to turn up much info on this.

For the time being, this solution will be okay for me - I'll just have to be careful to remember to umount the image when I'm finished with it.

I'm aware that this is far from a sane solution, so if anyone else can come up with a better plan I'm all ears.