[lxc-users] Unable to use mknod
john
john at tonebridge.com
Sat Nov 25 22:30:06 UTC 2017
Hello,
I have done enough Web searching in how to get access to usb cdrom drive
from an unprivileged container that I would like to think I have a
unique problem :)
I am using Debian Stretch and lxc 2.0.7. My container config is below.
In container:
container:/# mknod -m 666 /tmp/cdrom b 11 0
mknod: /tmp/cdrom: Operation not permitted
From outside:
host# lxc-device -n ripper add /dev/sr0
lxc-device: lxccontainer.c: do_add_remove_node: 3798 mknod failed
lxc-device: lxccontainer.c: do_add_remove_node: 3764 Failed to create
note in guest
lxc-device: tools/lxc_device.c: main: 166 Failed to add /dev/sr0 to ripper.
host# ls -l /dev/sr0
brw-rw---- 1 root cdrom 11, 0 Nov 25 14:17 /dev/sr0
I have attempted to disable seccomp by commeting this out in
/usr/share/lxc/config/common.conf:
# Blacklist some syscalls which are not safe in privileged
# containers
#lxc.seccomp = /usr/share/lxc/config/common.seccomp
I can't get that node created and it seems like it should.
What am I missing?
Container config:
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.include = /usr/share/lxc/config/debian.userns.conf
lxc.arch = x86_64
# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.rootfs = /containers/ripper/rootfs
lxc.rootfs.backend = dir
lxc.utsname = ripper
lxc.network.type = veth
lxc.network.link = br0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:80:78:fc
lxc.aa_profile = lxc-container-default-with-mounting
#lxc.aa_profile = unconfined
lxc.mount.entry = /dev/bus/usb/001 dev/bus/usb/001 none
bind,optional,create=dir
# lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber rwm
lxc.cgroup.devices.allow = b 11:* rwm
More information about the lxc-users
mailing list