[lxc-devel] problem with user namespace as root

[Serge Hallyn]

Quoting Stephan Sachse (ste.sachse at gmail.com):
> > > where is the fault?
> >
> > I suspect lxc.autodev is the problem, as far as I know (and the above
> > seems to prove it), it doesn't work with unprivileged containers as it
> > currently requires the ability to mknod.
> 
> why? cap_mknod is not dropped and die cgroup.devices allows to create
> the null device.

The kernel does not allow mknod in non-init user namespaces.