[systemd-devel] systemd 219 fails to create and/or use loop devices (or any other device)

Thu Nov 19 15:04:50 PST 2015

Am 19.11.2015 um 18:35 schrieb Filipe Brandenburger:
> Hi,
>
> On Thu, Nov 19, 2015 at 7:42 AM, von Thadden, Joachim, SEVEN
> PRINCIPLES <joachim.von-thadden at 7p-group.com> wrote:
>> using systemd 219-25 on Fedora 22 on a freshly created container I can not make any
>> device. Usage of --capability=CAP_MKNOD makes no difference.
>>
>> Steps to reproduce:
>> [root at nbl ~]# machinectl pull-raw --verify=no
>> http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz
>> [root at nbl ~]# systemd-nspawn --capability=CAP_MKNOD -M Fedora-Cloud-Base-20141203-21.x86_64
>> [root at Fedora-Cloud-Base-20141203-21 ~]# strace -f mknod /dev/loop0 b 7 0
>> mknod("/dev/loop0", S_IFBLK|0666, makedev(7, 0)) = -1 EPERM (Operation not permitted)
> This is likely being caused by the use of the "devices" namespace,
> which prevents you from using specific character and block devices
> inside a cgroup. nspawn now sets these by default.
>
> Calling systemd-nspawn with --property='DeviceAllow=/dev/loop0 rwm'
> should allow it to mknod and later use it in losetup as well.

This is good news, but in systemd 219 (Fedora 22) --property is not yet implemented. So
this might be a solution for Fedora 23. But your hint was right and you are my hero for
today! Just echoing the devices to the right cgroup machine.slice entry after starting the
container does the trick with FC22/systemd 219:

[root at nbl ~]# echo "c 10:237 rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-Fedora\\x2dCloud\\x2dBase\\x2d23\\x2d20151030.x86_64.scope/devices.allow
[root at nbl ~]# echo "b 7:1 rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-Fedora\\x2dCloud\\x2dBase\\x2d23\\x2d20151030.x86_64.scope/devices.allow
[root at nbl ~]# echo "b 7:0 rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-Fedora\\x2dCloud\\x2dBase\\x2d23\\x2d20151030.x86_64.scope/devices.allow
[root at nbl ~]# cat
/sys/fs/cgroup/devices/machine.slice/machine-Fedora\\x2dCloud\\x2dBase\\x2d23\\x2d20151030.x86_64.scope/devices.list
c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 10:200 rwm
c 5:2 rw
c 136:* rw
c 10:237 rwm
b 7:1 rwm
b 7:0 rwm
[root at nb0925-l ~]#

After that you can make the device nodes (interestingly without the need to give CAP_MKNOD
to the container, but in fact that would be a redundancy) or use the --bind and everything
works again.

Thanks a lot
        Joachim

-- 
Joachim von Thadden
Lead Technical Architect

SEVEN PRINCIPLES AG
Ernst-Dietrich-Platz 2
40882 Ratingen
Mobil: +49 162 261 64 66
Tel:   +49 2102 557 100
Fax:   +49 2102 557 101

E-Mail: joachim.von-thadden at 7p-group.com
Web: www.7p-group.com
________________________________
Aufsichtsrat: Prof. Dr. h.c. Hans Albert Aukes
Vorstandsvorsitzender: Joseph Kronfli
Handelsregister: HRB 30660 | USt-ID-Nr.: DE197820124 | Steuer-Nr.: 218/5734/1640
Sitz der Gesellschaft: Köln | Registriergericht: Amtsgericht Köln 

Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, beachten Sie bitte, dass jede Form der Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie sofort den Absender zu informieren und die E-Mail zu löschen.
The information contained in this e-mail is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately and destroy this e-mail.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: joachim_von-thadden.vcf
Type: text/x-vcard
Size: 756 bytes
Desc: joachim_von-thadden.vcf
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20151119/f308dbf6/attachment.vcf>