"Fajar A. Nugraha" <[email protected]> writes:
> On Fri, Nov 28, 2014 at 12:08 AM, Raimund Berger > <[email protected]> > wrote: > >> I'm asking since, as root, I'm guessing it might be easier to map select >> devices - like OSS audio - into a container, even when mapping uids too, >> which seems to be pretty much impossible to do with unprivileged >> containers (for good reason, obviously). > > > > I thought there are groups for mostly every device a normal user would need > to access, e.g. audio group? My guess is that if the uid of the user > starting the container (as well as mapped root and whatever user inside the > container that needs to access the device) belongs to the host's group, it > should work even for unprivileged containers. Entirely true. But then you need at least one dedicated user for each device group you want to map. And if you want to map two groups, like when trying to contain an application that uses both audio and video, into a single container you're already at a dead end. I know there's workarounds like using Pulseaudio instead of direct device access. But there you might run into a whole other world of issues. And, in view of the ongoing bufferbloat discussion, why introduce still more buffers and latency without actual need? Also, I'd think my question might really be of general interest. Even when not directly relating to situations where people try to map multiple device groups, no? _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
