mxs kolo
2017-Sep-21 14:14 UTC
[libvirt-users] How automatically set group.devices.allow for libvirt-lxc container after start ?
Hi.
I need to use /dev/ppp inside the lxc container, for very ancient software.
Problem solved this way:
1) virsh edit container name and add section:
<features>
<capabilities policy='default'>
<mknod state='on'/>
</capabilities>
</features>
2) start container
3) attach or ssh container, be root:
#mknod /dev/ppp c 108 0
4) inside container (or from hardware node, no difference) run:
# echo "c 108:0 rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-lxc\\x2d${PID}\\x2d${CONTAINER_NAEM}scope/devices.allow
5) Now pppd work inside lxc:
#pppd call reuters debug nodetach
using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <mru 1000> <asyncmap 0x0> <magic
0x567d90ae>]
...
But such method has several drawbacks.
1) I do not want to give cap_mknod, no need extra holes. With
cap_mknod you can make /de/block_device and using device.allow to give
it the rights rwm.
2) libvirt-lxc has some analog of lxc/lxd options lxc.group.devices.allow ?
lxc.cgroup.devices.allow = c 108:0 rwm
And yes, I need run "mknod" and "echo" each time after
container
restart and before start pppd daemon inside.
p.s.
It would be nice specify any device in the xml domain config, for example:
<devices>
<device type='char' maj='108' min='0'
allow='rwm' name="/dev/ppp"/>
</devices>
At start libvirt executes mknod and then writes the necessary rights
to cgroups device.allow.
b.r.
Maxim Kozin
Daniel P. Berrange
2017-Sep-21 14:45 UTC
Re: [libvirt-users] How automatically set group.devices.allow for libvirt-lxc container after start ?
On Thu, Sep 21, 2017 at 05:14:38PM +0300, mxs kolo wrote:> p.s. > It would be nice specify any device in the xml domain config, for example: > <devices> > <device type='char' maj='108' min='0' allow='rwm' name="/dev/ppp"/> > </devices> > At start libvirt executes mknod and then writes the necessary rights > to cgroups device.allow.You can do exactly that <hostdev mode='capabilities' type='misc'> <source> <char>/dev/input/event3</char> </source> </hostdev> or for block devs <hostdev mode='capabilities' type='storage'> <source> <block>/dev/sdf1</block> </source> </hostdev> See: http://libvirt.org/formatdomain.html#elementsHostDevCaps The device path you've listed must exist in the host's /dev for this to work though - we don't make it possible to create devices in the container which don't exist in the host Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|