[lxc-users] Unable to use mknod

Pavol Cupka pavol.cupka at gmail.com
Sat Nov 25 22:36:01 UTC 2017 

CAP_MKNOD

http://man7.org/linux/man-pages/man7/capabilities.7.html

You need to explicitly add the CAP_MKNOD capability to your container.

  lxc.cap.keep
          Specify the capability to be kept in the container. All other
          capabilities will be dropped. When a special value of "none"
          is encountered, lxc will clear any keep capabilities specified
          up to this point. A value of "none" alone can be used to drop
          all capabilities.

You could also try to automate this (if you happen to use systemd
inside the container) using:

  lxc.hook.autodev
          A hook to be run in the container's namespace after mounting
          has been done and after any mount hooks have run, but before
          the pivot_root, if lxc.autodev == 1.  The purpose of this hook
          is to assist in populating the /dev directory of the container
          when using the autodev option for systemd based containers.
          The container's /dev directory is relative to the
          ${LXC_ROOTFS_MOUNT} environment variable available when the
          hook is run.

which can point to a script running mknod.


On Sat, Nov 25, 2017 at 11:30 PM, john <john at tonebridge.com> wrote:
> Hello,
>
> I have done enough Web searching in how to get access to usb cdrom drive
> from an unprivileged container that I would like to think I have a unique
> problem :)
>
> I am using Debian Stretch and lxc 2.0.7.  My container config is below.
>
> In container:
>
> container:/# mknod -m 666 /tmp/cdrom b 11 0
> mknod: /tmp/cdrom: Operation not permitted
>
> From outside:
>
> host# lxc-device -n ripper add /dev/sr0
> lxc-device: lxccontainer.c: do_add_remove_node: 3798 mknod failed
> lxc-device: lxccontainer.c: do_add_remove_node: 3764 Failed to create note
> in guest
> lxc-device: tools/lxc_device.c: main: 166 Failed to add /dev/sr0 to ripper.
>
> host# ls -l /dev/sr0
> brw-rw---- 1 root cdrom 11, 0 Nov 25 14:17 /dev/sr0
>
> I have attempted to disable seccomp by commeting this out in
> /usr/share/lxc/config/common.conf:
>
> # Blacklist some syscalls which are not safe in privileged
> # containers
> #lxc.seccomp = /usr/share/lxc/config/common.seccomp
>
> I can't get that node created and it seems like it should.
>
> What am I missing?
>
>
> Container config:
>
> lxc.include = /usr/share/lxc/config/debian.common.conf
> lxc.include = /usr/share/lxc/config/debian.userns.conf
> lxc.arch = x86_64
>
> # Container specific configuration
> lxc.id_map = u 0 100000 65536
> lxc.id_map = g 0 100000 65536
> lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
> lxc.rootfs = /containers/ripper/rootfs
> lxc.rootfs.backend = dir
> lxc.utsname = ripper
>
> lxc.network.type = veth
> lxc.network.link = br0
> lxc.network.flags = up
> lxc.network.hwaddr = 00:16:3e:80:78:fc
>
> lxc.aa_profile = lxc-container-default-with-mounting
> #lxc.aa_profile = unconfined
>
> lxc.mount.entry = /dev/bus/usb/001 dev/bus/usb/001  none
> bind,optional,create=dir
>
> # lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber rwm
> lxc.cgroup.devices.allow = b 11:* rwm
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list