Re: manually lading kernel modules and have created /dev/* in container?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mo, 17.05.21 19:08, Marc Weber (marco-oweber@xxxxxx) wrote:

> > devtmpfs
>
> thanks. So I can modprobe (-r) the modules from both host/container,
>
> eg dahdi_transcode makes /dev/dahdi/transcode appear.
>
> But when mounting from container I can write / read from it (getting errors
>
> about channels not setup which is probably expected), but I when trying same from the container I
>
> just get operation not permitted. chmod 777 or such doesn't help.
>
> I am not using UID/-U id rewriting in any way. I run the container with --capability=all.
>
> Is there something else I am missing ?

nspawn containers have a strict device policy set up by default. You
need to allow-list your device nodes if you want to be able to use
them from inside the container. Use nspawn's --property= parameter to
tweak this, and set the DeviceAllow= property with it, as needed.

Devices aren't reasonably virtualized for containers
though. i.e. sysfs isn't virtualized and udev doesn't even get
started. Thus, by using --property=DeviceAllow= in combination with
--bind= to make specific device nodes of the host available in a
container you'll really just get the naked devicenodes and not
more. This is typically not enough to run any non-trivial software
that wants to to device management, since the enumerate/monitor
devices via sysfs/uevents/udev and that kind of stuff simply doesn't
work in containers.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux