[Lxc-users] mknod after instance creation?

Stéphane Graber stgraber at ubuntu.com
Mon Nov 7 01:15:48 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 11/05/2011 11:51 AM, Gordon Henderson wrote:
> On Sat, 5 Nov 2011, Daniel Lezcano wrote:
> 
>> On 11/05/2011 12:06 AM, Dong-In David Kang wrote:
>>> Hi,
>>> 
>>> Is it possible to do "mknod" after creation of an LXC
>>> instance? I need to do "mknod" not only at bootup time, but
>>> also at run-time. This is needed when I want to dynamically add
>>> devices to LXC instance. Is it possible? If it is, how can I do
>>> it?
>>> 
>>> I've seen the case of "mknod" at bootup time of an LXC
>>> instance. But, I haven't seen the usage of "mknod" at run-time
>>> after boot-up. Is it the limitation of LXC?
>> 
>> Just comment out the lxc.cgroup.devices.* lines in the
>> configuration file.
> 
> Yup - same issue I had a few days ago.
> 
> However it also helped me yesterday too when I had been given a
> vmware instance to extract some data from - I manged to unpack it
> into a regular filesystem, then on a whim, I decided to run it up
> under LXC - it kicked off udev which mknods, so letting it do that
> make it work OK - actually work very OK after I tweaked a few
> things in the startup scripts to stop it grabbing the console, so
> much so that the people I was doing it for want to keep it going
> for a while rather than extract the data and import it into their
> new system - it turned out to be an FC11 image - my host is 
> Debian!
> 
> Gordon

You may want to apply the change I submitted to lxc-devel a few days ago:

- ---
 templates/lxc-ubuntu.in |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 4f44b03..2be8680 100644
- --- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -179,9 +179,12 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
- -lxc.cap.drop = sys_module mac_override mac_admin
+lxc.cap.drop = sys_module

 lxc.cgroup.devices.deny = a
+# Allow any mknod (but not using the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
 # /dev/null and zero
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm
- -- 
1.7.7


This will allow any mknod to succeed but won't grant access to the
created devices unless whitelisted. This should solve most of the
runtime issues I noticed (upgrading udev being one of them).


- -- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBCgAGBQJOtzFDAAoJEMY4l01keS1n7QcQANct4lCROE1EMsaYKQ79xwSu
kquXbRewiyebE9ji2gavGSCUffx+wDHw5AwOVpSppmlEPIhawgJhDcXSWJ+YWPyp
ZM5C+w7/pcUVox/prxNB2pFaPBecXWVS5YeOXAC5XXyqNJkWtBlU7abt8UT4lrNz
BKoMc8YlQdDc2pYVmTyMBv6lMFQsV40Cm5TpEXvraRC7KlH4/gL1cIwXdpC4Aku/
D7775KRohl/OqCgijTxT3fsrcvIiKPes9toXaR+2JqAPh74x3tEui+qQfkZMs+78
CieEx+buJy83iMWv5L60bS/LW5pVk34Cz3nAfWZ50kUbB4HEdTR6ldBSwLD7O626
F0iqnIzMR6MKn/zvCC5tKK2Dp8/zMUyojDzKV+03DSDLQ88kNLu2nllw18rKVPUx
IQemtJ2NfpXluin9ccDEcpJaw+8AcicoFgK4as+DQv50favSgJDhTTYbqBPWyPQU
znsUiPv3Oei+nMXXjQnOlSfa/rOBD6kMM7QSDgBpuDQNz+8A7jYPsesyuhJ6RYOz
jvt3yfIdu6n/okutLbFKgs2cNuLhZjHz8EwdWkP0bxM10dE8rNAQAu5c590cgY5F
ZP22DLDbshjPTfioTVi4O+oLtBHt19sY5lOVQSYAbL/61jp+WoAeen6dsw+zgEiU
+Qq1K61uAh4FJMYNZIwl
=tA0q
-----END PGP SIGNATURE-----




More information about the lxc-users mailing list