Hi. I need to use /dev/ppp inside the lxc container, for very ancient software. Problem solved this way: 1) virsh edit container name and add section: <features> <capabilities policy='default'> <mknod state='on'/> </capabilities> </features> 2) start container 3) attach or ssh container, be root: #mknod /dev/ppp c 108 0 4) inside container (or from hardware node, no difference) run: # echo "c 108:0 rwm" > /sys/fs/cgroup/devices/machine.slice/machine-lxc\\x2d${PID}\\x2d${CONTAINER_NAEM}scope/devices.allow 5) Now pppd work inside lxc: #pppd call reuters debug nodetach using channel 1 Using interface ppp0 Connect: ppp0 <--> /dev/pts/2 sent [LCP ConfReq id=0x1 <mru 1000> <asyncmap 0x0> <magic 0x567d90ae>] ... But such method has several drawbacks. 1) I do not want to give cap_mknod, no need extra holes. With cap_mknod you can make /de/block_device and using device.allow to give it the rights rwm. 2) libvirt-lxc has some analog of lxc/lxd options lxc.group.devices.allow ? lxc.cgroup.devices.allow = c 108:0 rwm And yes, I need run "mknod" and "echo" each time after container restart and before start pppd daemon inside. p.s. It would be nice specify any device in the xml domain config, for example: <devices> <device type='char' maj='108' min='0' allow='rwm' name="/dev/ppp"/> </devices> At start libvirt executes mknod and then writes the necessary rights to cgroups device.allow. b.r. Maxim Kozin _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users