[systemd-devel] mknod forbidden in systemd-nspawn container
Mantas Mikulėnas
grawity at gmail.com
Wed Dec 23 06:39:09 PST 2015
On Wed, Dec 23, 2015 at 3:10 PM, Emmanuel Coirier <ecoirier at olfeo.com>
wrote:
> Hello everyone,
>
> I have encountered a problem with a systemd-nspawn container and
> deboostrap running in this container.
>
> When I try to launch deboostrap inside the container, debootstrap stops
> because it tries to unpack a tar archive that creates devices like
> /dev/console. The error is "EPERM". Here is the full command list :
>
Hmm, isn't debootstrap supposed to run outside the container? Or are you
trying to nest two containers?
Anyway, nspawn containers by default limit devices via both POSIX
capabilities and cgroups; you would need --capability=cap_mknod to create
device nodes, and <some cgroup pixie dust> to access them in case they're
not in the defautl whitelist.
--
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151223/91baedf0/attachment.html>
More information about the systemd-devel
mailing list