[libvirt-users] How automatically set group.devices.allow for libvirt-lxc container after start ?
mxs kolo
kolomaxes at gmail.com
Thu Sep 21 14:14:38 UTC 2017
Hi.
I need to use /dev/ppp inside the lxc container, for very ancient software.
Problem solved this way:
1) virsh edit container name and add section:
<features>
<capabilities policy='default'>
<mknod state='on'/>
</capabilities>
</features>
2) start container
3) attach or ssh container, be root:
#mknod /dev/ppp c 108 0
4) inside container (or from hardware node, no difference) run:
# echo "c 108:0 rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-lxc\\x2d${PID}\\x2d${CONTAINER_NAEM}scope/devices.allow
5) Now pppd work inside lxc:
#pppd call reuters debug nodetach
using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <mru 1000> <asyncmap 0x0> <magic 0x567d90ae>]
...
But such method has several drawbacks.
1) I do not want to give cap_mknod, no need extra holes. With
cap_mknod you can make /de/block_device and using device.allow to give
it the rights rwm.
2) libvirt-lxc has some analog of lxc/lxd options lxc.group.devices.allow ?
lxc.cgroup.devices.allow = c 108:0 rwm
And yes, I need run "mknod" and "echo" each time after container
restart and before start pppd daemon inside.
p.s.
It would be nice specify any device in the xml domain config, for example:
<devices>
<device type='char' maj='108' min='0' allow='rwm' name="/dev/ppp"/>
</devices>
At start libvirt executes mknod and then writes the necessary rights
to cgroups device.allow.
b.r.
Maxim Kozin
More information about the libvirt-users
mailing list