[systemd-devel] manually lading kernel modules and have created /dev/* in container?
Lennart Poettering
lennart at poettering.net
Tue May 18 09:56:11 UTC 2021
On Mo, 17.05.21 19:08, Marc Weber (marco-oweber at gmx.de) wrote:
> > devtmpfs
>
> thanks. So I can modprobe (-r) the modules from both host/container,
>
> eg dahdi_transcode makes /dev/dahdi/transcode appear.
>
> But when mounting from container I can write / read from it (getting errors
>
> about channels not setup which is probably expected), but I when trying same from the container I
>
> just get operation not permitted. chmod 777 or such doesn't help.
>
> I am not using UID/-U id rewriting in any way. I run the container with --capability=all.
>
> Is there something else I am missing ?
nspawn containers have a strict device policy set up by default. You
need to allow-list your device nodes if you want to be able to use
them from inside the container. Use nspawn's --property= parameter to
tweak this, and set the DeviceAllow= property with it, as needed.
Devices aren't reasonably virtualized for containers
though. i.e. sysfs isn't virtualized and udev doesn't even get
started. Thus, by using --property=DeviceAllow= in combination with
--bind= to make specific device nodes of the host available in a
container you'll really just get the naked devicenodes and not
more. This is typically not enough to run any non-trivial software
that wants to to device management, since the enumerate/monitor
devices via sysfs/uevents/udev and that kind of stuff simply doesn't
work in containers.
Lennart
--
Lennart Poettering, Berlin
More information about the systemd-devel
mailing list