On Wed, 23.12.15 14:10, Emmanuel Coirier ([email protected]) wrote: > Hello everyone, > > I have encountered a problem with a systemd-nspawn container and deboostrap > running in this container. > > When I try to launch deboostrap inside the container, debootstrap > stops because it tries to unpack a tar archive that creates devices > like /dev/console. The error is "EPERM". Here is the full command > list :
debootstrap really shouldn't do that. At least on systemd systems we only support setups where /dev is prepared by the kernel via devtmpfs, by the container manager when setting up the container environment, or by any other kind of namespace manager when setting up a namespace. Either way it needs to be on a volatile file system, and not persistent. Untarring device nodes is hence always wrong. nspawn generally allows creation of device nodes, but uses the "devices" cgroup controller to restrict what may be created. Specifically, in order to support PrivateDevices= in containers we do allow creating additional /dev/null and /dev/zero and suchlike, but do not allow creating arbitrary device nodes, for security reasons. We currently provide no way to turn this off, and I am not convinced we should add that. Long story short: debootstrap really shouldn't bother with creating device nodes. For security reasons we are quite restrictive there, and I'd claim, rightfully so. Please file a bug against debootstrap, asking them to stop creating device nodes (or at least making it non-fatal if they lack the permission to). Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
