Serge E. Hallyn wrote: > Quoting Daniel Lezcano (dlezcano@xxxxxxxxxx): >> Serge E. Hallyn wrote: >>> Quoting Matt Helsley (matthltc@xxxxxxxxxx): >>>> # >>>> # Write some reasonable default device whitelist rules >>>> # >>>> cat - >> $CONFFILE <<-"EOF" >>>> lxc.cgroup.devices.deny = a >>>> # /dev/null and zero >>>> lxc.cgroup.devices.allow = c 1:3 rwm >>>> lxc.cgroup.devices.allow = c 1:5 rwm >>>> # consoles >>>> lxc.cgroup.devices.allow = c 5:1 rwm >>>> lxc.cgroup.devices.allow = c 5:0 rwm >>>> lxc.cgroup.devices.allow = c 4:0 rwm >>>> lxc.cgroup.devices.allow = c 4:1 rwm >>>> # /dev/{,u}random >>>> lxc.cgroup.devices.allow = c 1:9 rwm >>>> lxc.cgroup.devices.allow = c 1:8 rwm >>>> # /dev/pts/* - pts namespaces are "coming soon" >>>> lxc.cgroup.devices.allow = c 136:* rwm >>>> # rtc lxc.cgroup.devices.allow = c 254:0 rwm >>>> EOF >>>> >>>> The quotes around EOF prevent bash from doing any substitution on the >>>> file contents. >> I added these devices to the debian configuration file and fixed the >> cgroup list order, "lxc.cgroup.devices.deny = a" was the last entry :/ > > Weird. It's the first now I hope :) I meant it was a bug of liblxc to store the cgroup in the wrong order :) >> By default the debian has no root password, so the ssh connection will >> always fail until a password is set for root. I will look on how to >> change the root password to 'root' after debootstraping ... >> >> I added "lxc.cgroup.devices.allow = c 5:2 rwm" >> in order to use /dev/ptmx for the tty's ssh connection. >> >> The container is no longer able to create /dev/initctl, so the poweroff >> command will fail. Serge do you know what is the syntax for the >> devices.allow for initctl ? > > initctl isn't a device, it's a fifo. At least on my laptop. Yes, right. "devices.deny = a" prohibits the creation of this fifo in /dev. After doing "lxc-cgroup -n debian devices.allow a", mknod -m 600 /dev/initctl p , succeed in the debian container. (rm /dev/initctl) But after doing "lxc-cgroup -n debian devices.deny a", mknod -m 600 /dev/initctl p mknod: `/dev/initctl': Operation not permitted Is is a way to specify this fifo for devices.allow ? _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers