procfs label to pass the /proc from host to container

Shpatz · January 2, 2024, 3:32pm

Hi,

using
board: Compulab IOT-GATE-iMX8PLUS 2G-4G DRAM
balenaOS: balenaOS 4.0.28
supervisor: 15.1.0

Trying to pass the /proc directory from the host OS to my container.
I used the label:
io.balena.features.procfs: ‘1’

on my compose file:

hmi:
    # build: .
    image: <image>:<tag>
    depends_on:
      - mqtt
    labels:
      io.balena.features.sysfs: '1'
      io.balena.features.supervisor-api: '1'
      io.balena.features.procfs: '1'
    environment:
      - SERVICE_NAME=hmi
      - BROKER_ADDRESS=mqtt://mqtt:1883
    restart: always

But without success

on host:

cat /proc/device-tree/model
CompuLab IOT-GATE-IMX8PLUS

on container

/usr/src/hmi# cat /proc/device-tree/model
cat: /proc/device-tree/model: No such file or directory

alexgg · January 2, 2024, 5:26pm

Hi, even though the io.balena.features.procfs and io.balena.features.sysfs labels do mount the /proc and ‘/sys’ filesystem, the container still needs the required permissions to access some files in the sys directory, like /sys/firmware/devicetree, which is where /proc/device-tree symlinks.
The engine does not allow to access /sys/firmware from unprivileged containers (see apparmor: prohibit /sys/firmware/** from being accessed by AkihiroSuda · Pull Request #26618 · moby/moby · GitHub).