[lxc-users] /dev/random problem with unprivileged minimal containers

Serge Hallyn serge.hallyn at ubuntu.com
Tue Jun 2 13:28:18 UTC 2015


Quoting Fiedler Roman (Roman.Fiedler at ait.ac.at):
> Hello  List,
> 
> I've tried to create a unprivileged minimal container from scratch just
> writing config and extracting minimal guest tar to root with correct
> UIDs/GIDs.
> 
> Most things work fine, but SSH failed to start:
> 
> # /usr/sbin/sshd -D
> PRNG is not seeded
> 
> Cause was that /dev/random is missing.
> 
> Question: at what point guest /dev/random would be created? Is this done by
> LXC, has it be triggered on host side or is just permission given on host
> side but creation is done by guest udev or similar?
> 
> 
> 
> My lxc-config contains those entries:
> 
> # /dev/random
> lxc.cgroup.devices.allow = c 1:8 rwm
> # /dev/urandom
> lxc.cgroup.devices.allow = c 1:9 rwm

Did you add 'lxc.autodev = 1' to your configuration?  If autodev is set,
then fill_autodev should be creating /dev/random at start time.

> After calling
> 
> lxc-device -n test add /dev/random /dev/random
> lxc-device -n test add /dev/urandom /dev/urandom
> 
> the devices exist in guest but with wrong uid/gid and wrong permissions
> (perhaps my version of lxc-device does not play nice with unprivileged)

Because you are unprivileged, you cannot create /dev/random.  All you can do
is to bind mount it from the host.  So it gets the same uid/gid/perms as
on the host.

> host# ls -al /dev/random 
> crw-rw-rw- 1 root root 1, 8 Apr 22 09:32 /dev/random
> 
> container# ls -al /dev/random 
> crw-r--r-- 1 nobody nogroup 1, 8 Jun  2 12:22 /dev/random

So that's precisely what I'd expect, since root/root is not mapped into the
unprivileged container.


More information about the lxc-users mailing list