On Fri, Jan 9, 2015 at 12:55 AM, Stéphane Graber <stgra...@ubuntu.com> wrote: > I expect we'll run into some more problems when dealing with units that > start with their own view of /dev since mknod in a userns isn't allowed > but I haven't run into one of those yet so it's not very high on my list. > > Once that happens, I expect we can solve it either by again just > ignoring the failure or by catching the failure and falling back to > doing a bind-mount of the device in question from the parent /dev (which > works fine in a userns and is what we do today for nested containers > with LXC).
Ignoring the failure as in starting services with an empty /dev sounds like it won't work. Also, just using the parent dev despite explicitly being asked not to sounds dangerous (most of the time there won't be much interesting stuff in /dev in a container, but that is not guaranteed). Bindmounting should obviously work, but might it not make even more sense to fix mknod in the kernel (as there are likely to be more places than just systemd that need fixing for this)? Even if it is just a minimal fix along the lines of "allow mknod whenver mount --bind would do the trick"? Based on the commit message here it sounds like people would not be opposed to the idea: <http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=975d6b3932d43b87a48d2107264ed0c9a7541d8d>. Cheers, Tom _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
