Summary: | sys-apps/systemd-215-r3 - systemd-nspawn --capability=CAP_MKNOD fails to create device node | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | poncho <poncho> |
Component: | [OLD] Core system | Assignee: | Gentoo systemd Team <systemd> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | Adrian.Bassett, alexander, poncho |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
poncho
2014-07-29 18:01:46 UTC
Probably this is due to CapabilityBoundingSet: $ grep ^CapabilityBoundingSet /usr/lib/systemd/system/systemd-machined.service CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT I'm afraid I've got bad news for you: <poetteri1g> mgorny: we use the "devices" cgroup controller to make sure that containers cannot create random device nodes <poetteri1g> mgorny: and what the guy is doing cannot work <poetteri1g> mgorny: device enumeration, /sys, udev, all that stuff is not virtualized in containers <poetteri1g> mgorny: and is unlikely to ever be <poetteri1g> mgorny: which means passing devices to containers cannot really work <poetteri1g> mgorny: lxc makes weird claims that it could work <poetteri1g> mgorny: but they just don't know what they are doing... Indeed, this is set in the devices cgroup controller systemctl status machine-debian\\x2djessie.scope ● machine-debian\x2djessie.scope - Container debian-jessie Loaded: loaded (/run/systemd/system/machine-debian\x2djessie.scope; static) Drop-In: /run/systemd/system/machine-debian\x2djessie.scope.d └─50-Description.conf, 50-DeviceAllow.conf, 50-DevicePolicy.conf, 50-Slice.conf Active: active (running) since Don 2014-07-31 09:36:01 CEST; 3min 15s ago CGroup: /machine.slice/machine-debian\x2djessie.scope cat /run/systemd/system/machine-debian\\x2djessie.scope.d/50-DeviceAllow.conf [Scope] DeviceAllow= DeviceAllow=char-kdbus/* rw DeviceAllow=char-kdbus rw DeviceAllow=char-pts rw DeviceAllow=/dev/pts/ptmx rw DeviceAllow=/dev/tty rwm DeviceAllow=/dev/urandom rwm DeviceAllow=/dev/random rwm DeviceAllow=/dev/full rwm DeviceAllow=/dev/zero rwm DeviceAllow=/dev/null rwm I'm able to create the device nodes after changing the cgroup settings. systemctl set-property --runtime machine-debian\\x2djessie.scope DeviceAllow=/dev/nvidia0 systemctl set-property --runtime machine-debian\\x2djessie.scope DeviceAllow=/dev/nvidiactl cat /run/systemd/system/machine-debian\\x2djessie.scope.d/50-DeviceAllow.conf [Scope] DeviceAllow= DeviceAllow=/dev/nvidiactl rwm DeviceAllow=/dev/nvidia0 rwm DeviceAllow=/dev/null rwm DeviceAllow=/dev/zero rwm DeviceAllow=/dev/full rwm DeviceAllow=/dev/random rwm DeviceAllow=/dev/urandom rwm DeviceAllow=/dev/tty rwm DeviceAllow=/dev/pts/ptmx rw DeviceAllow=char-pts rw DeviceAllow=char-kdbus rw DeviceAllow=char-kdbus/* rw Thanks for asking upstream and for clarification. I hope you don't mind me closing this as WONTFIX since upstream is not willing to change that. In case there's anything else we can do, please let us know. |