How automatically set group.devices.allow for libvirt-lxc container after start ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



  Hi.

I need to use /dev/ppp inside the lxc container, for very ancient software.
Problem solved this way:
1) virsh edit container name and add section:
  <features>
    <capabilities policy='default'>
      <mknod state='on'/>
    </capabilities>
  </features>
2) start container
3) attach or ssh container, be root:
#mknod /dev/ppp c 108 0
4) inside container (or from hardware node, no difference) run:
# echo "c 108:0 rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-lxc\\x2d${PID}\\x2d${CONTAINER_NAEM}scope/devices.allow
5) Now pppd  work inside lxc:
#pppd call reuters debug nodetach
using channel 1
Using interface ppp0
Connect: ppp0 <--> /dev/pts/2
sent [LCP ConfReq id=0x1 <mru 1000> <asyncmap 0x0> <magic 0x567d90ae>]
...

But such method has several drawbacks.
1) I do not want to give cap_mknod, no need extra holes. With
cap_mknod you can make /de/block_device and using device.allow to give
it the rights rwm.

2) libvirt-lxc has some analog of lxc/lxd options lxc.group.devices.allow ?
 lxc.cgroup.devices.allow = c 108:0 rwm

And yes, I need run "mknod" and "echo" each time after container
restart and before start pppd daemon inside.

p.s.
It would be nice specify any device in the xml domain config, for example:
<devices>
  <device type='char' maj='108' min='0' allow='rwm' name="/dev/ppp"/>
</devices>
At start libvirt executes mknod and then writes the necessary rights
to cgroups device.allow.

b.r.
 Maxim Kozin

_______________________________________________
libvirt-users mailing list
libvirt-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvirt-users



[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux