[lxc-users] autodev hook and devices whitelist

Serge Hallyn serge.hallyn at ubuntu.com
Mon May 18 17:45:06 UTC 2015


Quoting Christoph Mathys (eraserix at gmail.com):
> On 13.05.2015 17:24, Serge Hallyn wrote:
> >Quoting Christoph Mathys (eraserix at gmail.com):
> >>device node has a dynamic major number and the number of devices
> >>depends on the hosts configuration. When the container is started, I
> >>want to create the device nodes inside the container by inspecting the
> >>device nodes on the host.
> >>
> >> ...
> >>
> >>How can I create device nodes and whitlelist them automatically at
> >>container startup time? I use lxc 1.0.7 on Ubuntu trusty.
> >>
> >>Thanks,
> >>Christoph
> >
> >lxc-cgroup tries to change it for a running container only.  You
> >want to edit /var/lib/lxc/$LXC_NAME/config and add
> >
> >lxc.cgroup.devices.allow = c 189:* rwm

Note you should also be able to use the lxc-device command:

lxc-device -n container add /dev/whatever

to do a few steps at once.

> 
> Thanks for your reply. My device nodes major number will be
> somewhere in the range 240-254 (sorry, bad example), the exact
> number is determined by the kernel when the module gets loaded. So I
> need to whitelist all of those.
> 
> So, if I've got everything right, my two options to allow access to
> devices are:
> - Statically in the containers config file
> - Dynamically once the container is RUNNING (e.g. *not* from hooks)


Yeah, pretty sure.  Adding a --persist option to lxc-device may be
a good idea, paches welcome :)


More information about the lxc-users mailing list