<div dir="ltr">Hi,<br><br>After the comments here, I had a look closer look at the docker code. The problem was that it would always try to create <a href="https://github.com/docker/libcontainer/blob/master/configs/device_defaults.go">some default devices</a> without it checking if it had the permissions to do so. For now, I've created a fork of docker and added a fix to <a href="https://github.com/akshaykarle/docker/commit/0299d2c2084d7f42e7c2c433fca7f5ab3066d2be">create the devices only if the devices cgroup is present</a>. This seems to work and I'm now able to run docker inside unprivileged LXC containers.<div><br></div><div>But I don't know if just checking for the devices cgroup mountpoint is the right fix. I feel the right way would be to create only those devices that are allowed by lxc.cgroup.devices.allow, but I don't know how I can check the devices enabled in the unprivileged lxc container itself. Any way to do so?</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jun 15, 2015 at 2:42 PM Serge Hallyn <<a href="mailto:serge.hallyn@ubuntu.com">serge.hallyn@ubuntu.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Quoting Stewart Brodie (<a href="mailto:sbrodie@espial.com" target="_blank">sbrodie@espial.com</a>):<br>
> Serge Hallyn <<a href="mailto:serge.hallyn@ubuntu.com" target="_blank">serge.hallyn@ubuntu.com</a>> wrote:<br>
><br>
> > Quoting Stewart Brodie (<a href="mailto:sbrodie@espial.com" target="_blank">sbrodie@espial.com</a>):<br>
<br>
> > > However, another far neater way of doing this could be to use the<br>
> > > freezer instead. Just give lxc-start a new command-line option to start<br>
> > > the container *but* crucially, leave it frozen when lxc-start exits.<br>
> > > The caller can then just do lxc-start, lxc-device, lxc-unfreeze.<br>
><br>
> > > [can you run lxc-device on a frozen container?]<br>
><br>
> For future reference, this does indeed work. I like the idea, because it<br>
> would allow all sorts of fettling to go on with the new container from the<br>
> host side before it really starts executing.<br>
<br>
fwiw I'm not opposed to this if someone wants to code it up. Basically<br>
right before exec(2)ing /sbin/init, the task would freeze itself.<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></blockquote></div>