[lxc-users] Unable to use mknod

Pavol Cupka pavol.cupka at gmail.com
Sat Nov 25 22:37:21 UTC 2017 

and here http://man7.org/linux/man-pages/man5/lxc.container.conf.5.html

On Sat, Nov 25, 2017 at 11:36 PM, Pavol Cupka <pavol.cupka at gmail.com> wrote:
> CAP_MKNOD
>
> http://man7.org/linux/man-pages/man7/capabilities.7.html
>
> You need to explicitly add the CAP_MKNOD capability to your container.
>
>   lxc.cap.keep
>           Specify the capability to be kept in the container. All other
>           capabilities will be dropped. When a special value of "none"
>           is encountered, lxc will clear any keep capabilities specified
>           up to this point. A value of "none" alone can be used to drop
>           all capabilities.
>
> You could also try to automate this (if you happen to use systemd
> inside the container) using:
>
>   lxc.hook.autodev
>           A hook to be run in the container's namespace after mounting
>           has been done and after any mount hooks have run, but before
>           the pivot_root, if lxc.autodev == 1.  The purpose of this hook
>           is to assist in populating the /dev directory of the container
>           when using the autodev option for systemd based containers.
>           The container's /dev directory is relative to the
>           ${LXC_ROOTFS_MOUNT} environment variable available when the
>           hook is run.
>
> which can point to a script running mknod.
>
>
> On Sat, Nov 25, 2017 at 11:30 PM, john <john at tonebridge.com> wrote:
>> Hello,
>>
>> I have done enough Web searching in how to get access to usb cdrom drive
>> from an unprivileged container that I would like to think I have a unique
>> problem :)
>>
>> I am using Debian Stretch and lxc 2.0.7.  My container config is below.
>>
>> In container:
>>
>> container:/# mknod -m 666 /tmp/cdrom b 11 0
>> mknod: /tmp/cdrom: Operation not permitted
>>
>> From outside:
>>
>> host# lxc-device -n ripper add /dev/sr0
>> lxc-device: lxccontainer.c: do_add_remove_node: 3798 mknod failed
>> lxc-device: lxccontainer.c: do_add_remove_node: 3764 Failed to create note
>> in guest
>> lxc-device: tools/lxc_device.c: main: 166 Failed to add /dev/sr0 to ripper.
>>
>> host# ls -l /dev/sr0
>> brw-rw---- 1 root cdrom 11, 0 Nov 25 14:17 /dev/sr0
>>
>> I have attempted to disable seccomp by commeting this out in
>> /usr/share/lxc/config/common.conf:
>>
>> # Blacklist some syscalls which are not safe in privileged
>> # containers
>> #lxc.seccomp = /usr/share/lxc/config/common.seccomp
>>
>> I can't get that node created and it seems like it should.
>>
>> What am I missing?
>>
>>
>> Container config:
>>
>> lxc.include = /usr/share/lxc/config/debian.common.conf
>> lxc.include = /usr/share/lxc/config/debian.userns.conf
>> lxc.arch = x86_64
>>
>> # Container specific configuration
>> lxc.id_map = u 0 100000 65536
>> lxc.id_map = g 0 100000 65536
>> lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
>> lxc.rootfs = /containers/ripper/rootfs
>> lxc.rootfs.backend = dir
>> lxc.utsname = ripper
>>
>> lxc.network.type = veth
>> lxc.network.link = br0
>> lxc.network.flags = up
>> lxc.network.hwaddr = 00:16:3e:80:78:fc
>>
>> lxc.aa_profile = lxc-container-default-with-mounting
>> #lxc.aa_profile = unconfined
>>
>> lxc.mount.entry = /dev/bus/usb/001 dev/bus/usb/001  none
>> bind,optional,create=dir
>>
>> # lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber rwm
>> lxc.cgroup.devices.allow = b 11:* rwm
>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list