[lxc-users] Unable to use mknod

john john at tonebridge.com
Sat Nov 25 23:33:52 UTC 2017


Thanks.    Adding "lxc.cap.keep = mknod" gives me error on container 
startup due to simultaneously using lxc.cap.drop. Drop is probably 
defined in some include file I will track that down.

lxc-start: conf.c: lxc_setup: 3965 Container requests lxc.cap.drop and 
lxc.cap.keep: either use lxc.cap.drop or lxc.cap.keep, not both.

John


On 11/25/2017 04:37 PM, Pavol Cupka wrote:
> and here http://man7.org/linux/man-pages/man5/lxc.container.conf.5.html
>
> On Sat, Nov 25, 2017 at 11:36 PM, Pavol Cupka <pavol.cupka at gmail.com> wrote:
>> CAP_MKNOD
>>
>> http://man7.org/linux/man-pages/man7/capabilities.7.html
>>
>> You need to explicitly add the CAP_MKNOD capability to your container.
>>
>>    lxc.cap.keep
>>            Specify the capability to be kept in the container. All other
>>            capabilities will be dropped. When a special value of "none"
>>            is encountered, lxc will clear any keep capabilities specified
>>            up to this point. A value of "none" alone can be used to drop
>>            all capabilities.
>>
>> You could also try to automate this (if you happen to use systemd
>> inside the container) using:
>>
>>    lxc.hook.autodev
>>            A hook to be run in the container's namespace after mounting
>>            has been done and after any mount hooks have run, but before
>>            the pivot_root, if lxc.autodev == 1.  The purpose of this hook
>>            is to assist in populating the /dev directory of the container
>>            when using the autodev option for systemd based containers.
>>            The container's /dev directory is relative to the
>>            ${LXC_ROOTFS_MOUNT} environment variable available when the
>>            hook is run.
>>
>> which can point to a script running mknod.
>>
>>
>> On Sat, Nov 25, 2017 at 11:30 PM, john <john at tonebridge.com> wrote:
>>> Hello,
>>>
>>> I have done enough Web searching in how to get access to usb cdrom drive
>>> from an unprivileged container that I would like to think I have a unique
>>> problem :)
>>>
>>> I am using Debian Stretch and lxc 2.0.7.  My container config is below.
>>>
>>> In container:
>>>
>>> container:/# mknod -m 666 /tmp/cdrom b 11 0
>>> mknod: /tmp/cdrom: Operation not permitted
>>>
>>>  From outside:
>>>
>>> host# lxc-device -n ripper add /dev/sr0
>>> lxc-device: lxccontainer.c: do_add_remove_node: 3798 mknod failed
>>> lxc-device: lxccontainer.c: do_add_remove_node: 3764 Failed to create note
>>> in guest
>>> lxc-device: tools/lxc_device.c: main: 166 Failed to add /dev/sr0 to ripper.
>>>
>>> host# ls -l /dev/sr0
>>> brw-rw---- 1 root cdrom 11, 0 Nov 25 14:17 /dev/sr0
>>>
>>> I have attempted to disable seccomp by commeting this out in
>>> /usr/share/lxc/config/common.conf:
>>>
>>> # Blacklist some syscalls which are not safe in privileged
>>> # containers
>>> #lxc.seccomp = /usr/share/lxc/config/common.seccomp
>>>
>>> I can't get that node created and it seems like it should.
>>>
>>> What am I missing?
>>>
>>>
>>> Container config:
>>>
>>> lxc.include = /usr/share/lxc/config/debian.common.conf
>>> lxc.include = /usr/share/lxc/config/debian.userns.conf
>>> lxc.arch = x86_64
>>>
>>> # Container specific configuration
>>> lxc.id_map = u 0 100000 65536
>>> lxc.id_map = g 0 100000 65536
>>> lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
>>> lxc.rootfs = /containers/ripper/rootfs
>>> lxc.rootfs.backend = dir
>>> lxc.utsname = ripper
>>>
>>> lxc.network.type = veth
>>> lxc.network.link = br0
>>> lxc.network.flags = up
>>> lxc.network.hwaddr = 00:16:3e:80:78:fc
>>>
>>> lxc.aa_profile = lxc-container-default-with-mounting
>>> #lxc.aa_profile = unconfined
>>>
>>> lxc.mount.entry = /dev/bus/usb/001 dev/bus/usb/001  none
>>> bind,optional,create=dir
>>>
>>> # lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber rwm
>>> lxc.cgroup.devices.allow = b 11:* rwm
>>>
>>>
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list