Quoting Daan Willems ([email protected]): > On Mon, Apr 4, 2016 at 5:41 PM, Serge Hallyn <[email protected]> wrote: > > Can you show your full container configuration? > > I tinkered a bit with the config. If I comment out all of the > lxc.cgroup.devices.allow lines, the container starts.
Right. If you ask lxc to set up devices cgroup entries, then you must be able to write to your devices cgroup files... You can enable this by adding ',devices' to the end of the libpam-cgfs line in /etc/pam.d/common-session*. There is no security downside to it fwiw - the kernel will enforce proper hierarchy so that your user cannot escape its limits. > Are there any changes to the lxc.cgroup configuration I should know of? Modern containers (for the past few years I think) make use of the lxc.include of common files, using different sets for privileged and unprivileged containers, so that unpriv ones have no devices entries, and do have some other needed entries. -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
