and here http://man7.org/linux/man-pages/man5/lxc.container.conf.5.html
On Sat, Nov 25, 2017 at 11:36 PM, Pavol Cupka <[email protected]> wrote: > CAP_MKNOD > > http://man7.org/linux/man-pages/man7/capabilities.7.html > > You need to explicitly add the CAP_MKNOD capability to your container. > > lxc.cap.keep > Specify the capability to be kept in the container. All other > capabilities will be dropped. When a special value of "none" > is encountered, lxc will clear any keep capabilities specified > up to this point. A value of "none" alone can be used to drop > all capabilities. > > You could also try to automate this (if you happen to use systemd > inside the container) using: > > lxc.hook.autodev > A hook to be run in the container's namespace after mounting > has been done and after any mount hooks have run, but before > the pivot_root, if lxc.autodev == 1. The purpose of this hook > is to assist in populating the /dev directory of the container > when using the autodev option for systemd based containers. > The container's /dev directory is relative to the > ${LXC_ROOTFS_MOUNT} environment variable available when the > hook is run. > > which can point to a script running mknod. > > > On Sat, Nov 25, 2017 at 11:30 PM, john <[email protected]> wrote: >> Hello, >> >> I have done enough Web searching in how to get access to usb cdrom drive >> from an unprivileged container that I would like to think I have a unique >> problem :) >> >> I am using Debian Stretch and lxc 2.0.7. My container config is below. >> >> In container: >> >> container:/# mknod -m 666 /tmp/cdrom b 11 0 >> mknod: /tmp/cdrom: Operation not permitted >> >> From outside: >> >> host# lxc-device -n ripper add /dev/sr0 >> lxc-device: lxccontainer.c: do_add_remove_node: 3798 mknod failed >> lxc-device: lxccontainer.c: do_add_remove_node: 3764 Failed to create note >> in guest >> lxc-device: tools/lxc_device.c: main: 166 Failed to add /dev/sr0 to ripper. >> >> host# ls -l /dev/sr0 >> brw-rw---- 1 root cdrom 11, 0 Nov 25 14:17 /dev/sr0 >> >> I have attempted to disable seccomp by commeting this out in >> /usr/share/lxc/config/common.conf: >> >> # Blacklist some syscalls which are not safe in privileged >> # containers >> #lxc.seccomp = /usr/share/lxc/config/common.seccomp >> >> I can't get that node created and it seems like it should. >> >> What am I missing? >> >> >> Container config: >> >> lxc.include = /usr/share/lxc/config/debian.common.conf >> lxc.include = /usr/share/lxc/config/debian.userns.conf >> lxc.arch = x86_64 >> >> # Container specific configuration >> lxc.id_map = u 0 100000 65536 >> lxc.id_map = g 0 100000 65536 >> lxc.mount.auto = proc:mixed sys:ro cgroup:mixed >> lxc.rootfs = /containers/ripper/rootfs >> lxc.rootfs.backend = dir >> lxc.utsname = ripper >> >> lxc.network.type = veth >> lxc.network.link = br0 >> lxc.network.flags = up >> lxc.network.hwaddr = 00:16:3e:80:78:fc >> >> lxc.aa_profile = lxc-container-default-with-mounting >> #lxc.aa_profile = unconfined >> >> lxc.mount.entry = /dev/bus/usb/001 dev/bus/usb/001 none >> bind,optional,create=dir >> >> # lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber rwm >> lxc.cgroup.devices.allow = b 11:* rwm >> >> >> _______________________________________________ >> lxc-users mailing list >> [email protected] >> http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
