Serge E. Hallyn wrote: > Quoting Matt Helsley (matthltc@xxxxxxxxxx): >>> (this is the code i inserted into the old lxc-debian command, >>> haven't checked if i need to change it for the new one) >>> >>> echo "lxc.cgroup.devices.deny = a" >> $CONFFILE >>> # /dev/null and zero >>> echo "lxc.cgroup.devices.allow = c 1:3 rwm" >> $CONFFILE >>> echo "lxc.cgroup.devices.allow = c 1:5 rwm" >> $CONFFILE >>> # consoles >>> echo "lxc.cgroup.devices.allow = c 5:1 rwm" >> $CONFFILE >>> echo "lxc.cgroup.devices.allow = c 5:0 rwm" >> $CONFFILE >>> echo "lxc.cgroup.devices.allow = c 4:0 rwm" >> $CONFFILE >>> echo "lxc.cgroup.devices.allow = c 4:1 rwm" >> $CONFFILE >>> # /dev/{,u}random >>> echo "lxc.cgroup.devices.allow = c 1:9 rwm" >> $CONFFILE >>> echo "lxc.cgroup.devices.allow = c 1:8 rwm" >> $CONFFILE >>> # /dev/pts/* - pts namespaces are "coming soon" >>> echo "lxc.cgroup.devices.allow = c 136:* rwm" >> $CONFFILE >>> # rtc >>> echo "lxc.cgroup.devices.allow = c 254:0 rwm" >> $CONFFILE >> This could be a tad prettier with a "here file" rather than all the >> echoes and >> $CONFFILE: > > The new lxc-debian actually does > > cat > $CONFIGFILE << EOF > > I pasted from my old version. > >> # >> # Write some reasonable default device whitelist rules >> # >> cat - >> $CONFFILE <<-"EOF" >> lxc.cgroup.devices.deny = a >> # /dev/null and zero >> lxc.cgroup.devices.allow = c 1:3 rwm >> lxc.cgroup.devices.allow = c 1:5 rwm >> # consoles >> lxc.cgroup.devices.allow = c 5:1 rwm >> lxc.cgroup.devices.allow = c 5:0 rwm >> lxc.cgroup.devices.allow = c 4:0 rwm >> lxc.cgroup.devices.allow = c 4:1 rwm >> # /dev/{,u}random >> lxc.cgroup.devices.allow = c 1:9 rwm >> lxc.cgroup.devices.allow = c 1:8 rwm >> # /dev/pts/* - pts namespaces are "coming soon" >> lxc.cgroup.devices.allow = c 136:* rwm >> # rtc >> lxc.cgroup.devices.allow = c 254:0 rwm >> EOF >> >> The quotes around EOF prevent bash from doing any substitution on the >> file contents. I added these devices to the debian configuration file and fixed the cgroup list order, "lxc.cgroup.devices.deny = a" was the last entry :/ By default the debian has no root password, so the ssh connection will always fail until a password is set for root. I will look on how to change the root password to 'root' after debootstraping ... I added "lxc.cgroup.devices.allow = c 5:2 rwm" in order to use /dev/ptmx for the tty's ssh connection. The container is no longer able to create /dev/initctl, so the poweroff command will fail. Serge do you know what is the syntax for the devices.allow for initctl ? Thanks. -- Daniel _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers