[systemd-devel] mknod forbidden in systemd-nspawn container

Lennart Poettering lennart at poettering.net
Wed Dec 23 07:06:33 PST 2015


On Wed, 23.12.15 14:10, Emmanuel Coirier (ecoirier at olfeo.com) wrote:

> Hello everyone,
> 
> I have encountered a problem with a systemd-nspawn container and deboostrap running in this container.
> 
> When I try to launch deboostrap inside the container, debootstrap
> stops because it tries to unpack a tar archive that creates devices
> like /dev/console. The error is "EPERM". Here is the full command
> list :

debootstrap really shouldn't do that. At least on systemd systems we
only support setups where /dev is prepared by the kernel via devtmpfs,
by the container manager when setting up the container environment, or
by any other kind of namespace manager when setting up a
namespace. Either way it needs to be on a volatile file system, and
not persistent. Untarring device nodes is hence always wrong.

nspawn generally allows creation of device nodes, but uses the
"devices" cgroup controller to restrict what may be
created. Specifically, in order to support PrivateDevices= in
containers we do allow creating additional /dev/null and /dev/zero and
suchlike, but do not allow creating arbitrary device nodes, for
security reasons. We currently provide no way to turn this off, and I
am not convinced we should add that.

Long story short: debootstrap really shouldn't bother with creating
device nodes. For security reasons we are quite restrictive there, and
I'd claim, rightfully so. Please file a bug against debootstrap,
asking them to stop creating device nodes (or at least making it
non-fatal if they lack the permission to).

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list