CAP_MKNOD http://man7.org/linux/man-pages/man7/capabilities.7.html
You need to explicitly add the CAP_MKNOD capability to your container. lxc.cap.keep Specify the capability to be kept in the container. All other capabilities will be dropped. When a special value of "none" is encountered, lxc will clear any keep capabilities specified up to this point. A value of "none" alone can be used to drop all capabilities. You could also try to automate this (if you happen to use systemd inside the container) using: lxc.hook.autodev A hook to be run in the container's namespace after mounting has been done and after any mount hooks have run, but before the pivot_root, if lxc.autodev == 1. The purpose of this hook is to assist in populating the /dev directory of the container when using the autodev option for systemd based containers. The container's /dev directory is relative to the ${LXC_ROOTFS_MOUNT} environment variable available when the hook is run. which can point to a script running mknod. On Sat, Nov 25, 2017 at 11:30 PM, john <j...@tonebridge.com> wrote: > Hello, > > I have done enough Web searching in how to get access to usb cdrom drive > from an unprivileged container that I would like to think I have a unique > problem :) > > I am using Debian Stretch and lxc 2.0.7. My container config is below. > > In container: > > container:/# mknod -m 666 /tmp/cdrom b 11 0 > mknod: /tmp/cdrom: Operation not permitted > > From outside: > > host# lxc-device -n ripper add /dev/sr0 > lxc-device: lxccontainer.c: do_add_remove_node: 3798 mknod failed > lxc-device: lxccontainer.c: do_add_remove_node: 3764 Failed to create note > in guest > lxc-device: tools/lxc_device.c: main: 166 Failed to add /dev/sr0 to ripper. > > host# ls -l /dev/sr0 > brw-rw---- 1 root cdrom 11, 0 Nov 25 14:17 /dev/sr0 > > I have attempted to disable seccomp by commeting this out in > /usr/share/lxc/config/common.conf: > > # Blacklist some syscalls which are not safe in privileged > # containers > #lxc.seccomp = /usr/share/lxc/config/common.seccomp > > I can't get that node created and it seems like it should. > > What am I missing? > > > Container config: > > lxc.include = /usr/share/lxc/config/debian.common.conf > lxc.include = /usr/share/lxc/config/debian.userns.conf > lxc.arch = x86_64 > > # Container specific configuration > lxc.id_map = u 0 100000 65536 > lxc.id_map = g 0 100000 65536 > lxc.mount.auto = proc:mixed sys:ro cgroup:mixed > lxc.rootfs = /containers/ripper/rootfs > lxc.rootfs.backend = dir > lxc.utsname = ripper > > lxc.network.type = veth > lxc.network.link = br0 > lxc.network.flags = up > lxc.network.hwaddr = 00:16:3e:80:78:fc > > lxc.aa_profile = lxc-container-default-with-mounting > #lxc.aa_profile = unconfined > > lxc.mount.entry = /dev/bus/usb/001 dev/bus/usb/001 none > bind,optional,create=dir > > # lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber rwm > lxc.cgroup.devices.allow = b 11:* rwm > > > _______________________________________________ > lxc-users mailing list > lxc-users@lists.linuxcontainers.org > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users