[systemd-devel] mknod forbidden in systemd-nspawn container

Emmanuel Coirier ecoirier at olfeo.com
Mon Dec 28 07:20:20 PST 2015


Thanks for your answer, but...

> Mantas Mikulėnas [mailto:somewhere]
> Hmm, isn't debootstrap supposed to run outside the container? Or are you trying to nest two containers?

It's indeed a nested container. The outer container is a working container in which I do all I need to do. The inner container is the container that should host our software. The debootstrap command is launch in the outter container, to generate the inner container

> Anyway, nspawn containers by default limit devices via both POSIX capabilities and cgroups; you would need --capability=cap_mknod to create device nodes, and <some cgroup pixie dust> to access them in case they're not in the defautl whitelist.

The capability is present, with and even without the --capability option. So this is not the problem.

-- 
Emmanuel Coirier



More information about the systemd-devel mailing list