[Lxc-users] Permission problem with /dev/net/tun (despite echoes to cgroup)

[Thomas Karcher]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi folks,

the symptom my libvirt LXC container suffers from is:

root at depot:/dev/net# ls -la
total 0
drwxr-xr-x 2 root root  40 Jun 29 16:26 .
drwxr-xr-x 5 root root 480 Jun 29 16:26 ..

root at depot:/dev/net# mknod tun c 10 200
mknod: `tun': Operation not permitted

strace tells me that the actual mknod syscall fails (and no filesystem
permission error - the same command also fails e.g. in /tmp).

The host is an up-to-date AMD64 Ubuntu raring on 3.8.0-25-generic that
was formerly installed from precise and then upgraded. The guest is
Ubuntu precise; however, I see the same symptom in another raring
container on the same host.

What I tried to resolve this:

1) On the host, I echoed various stuff to the cgroup device files:

cd /sys/fs/cgroup/devices/libvirt/lxc
echo "c 10:200 rwm" > devices.allow
echo "c 10:200 rwm" > depot/devices.allow
echo a > depot/devices.allow

... and I see the successful results in depot/devices.list, but no
success.

2) I inserted a line "/dev/net/tun rwk," into
/etc/apparmor.d/abstractions/lxc/container-base - no change. (I know,
it seems kind of pointless - because it's about permissions to a
device, not a path. You may deduce my desperation from this ... :)

SELinux is not active. Mounts on /dev look normal to me:

devfs on /dev type tmpfs (rw,mode=0755)
devpts on /dev/pts type devpts (rw,noexec,nosuid,gid=5,mode=0620)
devpts on /dev/ptmx type devpts
(rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,relatime,devices)

I am hoping you might have a hint for me.


Thanks & regards
Thomas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHPBoYACgkQiMyIQtYO79ywWACgyRVrkwX9l2TEr1PHzkNRxUcj
vLYAnAyHRNibJBf2n6heLgGeId7DIVOF
=xZRO
-----END PGP SIGNATURE-----