[systemd-devel] mknod forbidden in systemd-nspawn container
Emmanuel Coirier
ecoirier at olfeo.com
Mon Dec 28 07:20:20 PST 2015
Thanks for your answer, but...
> Mantas Mikulėnas [mailto:somewhere]
> Hmm, isn't debootstrap supposed to run outside the container? Or are you trying to nest two containers?
It's indeed a nested container. The outer container is a working container in which I do all I need to do. The inner container is the container that should host our software. The debootstrap command is launch in the outter container, to generate the inner container
> Anyway, nspawn containers by default limit devices via both POSIX capabilities and cgroups; you would need --capability=cap_mknod to create device nodes, and <some cgroup pixie dust> to access them in case they're not in the defautl whitelist.
The capability is present, with and even without the --capability option. So this is not the problem.
--
Emmanuel Coirier
More information about the systemd-devel
mailing list