|
Hi, I am unable to get mknod working in a systemd nspawn container. I alwyas get EPERM, even though everything seems to be in place: root@bookworm:/# mknod /mnt/null c 1 3 mknod: /mnt/null: Operation not permitted Nspawn file for the container contains capability and systemcallfilter: [Exec] Hostname=debtest Boot=yes Capability=CAP_SYS_ADMIN CAP_SYS_MKNOD CAP_MKNOD CAP_SYSADMIN SystemCallFilter=mknod keyctl add_key Hostname=debtest [Network] VirtualEthernet=yes Bridge=brdsan01 The systemcallfilter is ok, as I am able to use keyctl: root@bookworm:/# keyctl list @u keyring is empty I am using the default
systemd-nspawn@.service: Explicitely adding DeviceAllow=/dev/null makes no difference [Unit] Description=Container %i Documentation=man:systemd-nspawn(1) PartOf=machines.target Before=machines.target After=network.target RequiresMountsFor=/var/lib/machines/%i [Service] # Make sure the DeviceAllow= lines below can properly resolve the 'block-loop' _expression_ (and others) ExecStart=systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i KillMode=mixed Type=notify RestartForceExitStatus=133 SuccessExitStatus=133 Slice=machine.slice Delegate=yes DelegateSubgroup=supervisor CoredumpReceive=yes TasksMax=16384 WatchdogSec=3min DevicePolicy=closed DeviceAllow=/dev/net/tun rwm DeviceAllow=char-pts rw # nspawn itself needs access to /dev/loop-control and /dev/loop, to implement # the --image= option. Add these here, too. DeviceAllow=/dev/loop-control rw DeviceAllow=block-loop rw DeviceAllow=block-blkext rw # nspawn can set up LUKS encrypted loopback files, in which case it needs # access to /dev/mapper/control and the block devices /dev/mapper/*. DeviceAllow=/dev/mapper/control rw DeviceAllow=block-device-mapper rw [Install] WantedBy=machines.target Mknod capability is present: root@bookworm:/# capsh --print |grep mknod Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap The sd_devices BPF program is attached to the cgroup: sudo bpftool cgroup show /sys/fs/cgroup/machine.slice/systemd-nspawn@debtest.service/ ID AttachType AttachFlags Name 68 cgroup_device multi sd_devices /mnt is not mounted with restrictions: tmpfs on /mnt type tmpfs (rw,relatime,uid=1189085184,gid=1189085184) But still: root@bookworm:/# mknod /mnt/null c 1 3 mknod: /mnt/null: Operation not permitted So what am I missing here? -Sietse |
nspawn container mknod
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: nspawn container mknod
- From: Sietse van Zanen <sietse@xxxxxxxxx>
- Date: Fri, 15 Nov 2024 11:35:29 +0000
- Accept-language: en-US
- Prev by Date: Re: Masking mount units
- Next by Date: systemd prerelease 257-rc2
- Previous by thread: systemd-nspawn and volatile option side effects
- Next by thread: systemd prerelease 257-rc2
- Index(es):
 |