[systemd-devel] nspawn container mknod
Sietse van Zanen
sietse at wizdom.nu
Fri Nov 15 11:35:29 UTC 2024
Hi,
I am unable to get mknod working in a systemd nspawn container. I alwyas get EPERM, even though everything seems to be in place:
root at bookworm:/# mknod /mnt/null c 1 3
mknod: /mnt/null: Operation not permitted
Nspawn file for the container contains capability and systemcallfilter:
[Exec]
Hostname=debtest
Boot=yes
Capability=CAP_SYS_ADMIN CAP_SYS_MKNOD CAP_MKNOD CAP_SYSADMIN
SystemCallFilter=mknod keyctl add_key
Hostname=debtest
[Network]
VirtualEthernet=yes
Bridge=brdsan01
The systemcallfilter is ok, as I am able to use keyctl:
root at bookworm:/# keyctl list @u
keyring is empty
I am using the default systemd-nspawn at .service<mailto:systemd-nspawn at .service>:
Explicitely adding DeviceAllow=/dev/null makes no difference
[Unit]
Description=Container %i
Documentation=man:systemd-nspawn(1)
PartOf=machines.target
Before=machines.target
After=network.target
RequiresMountsFor=/var/lib/machines/%i
[Service]
# Make sure the DeviceAllow= lines below can properly resolve the 'block-loop' expression (and others)
ExecStart=systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-veth -U --settings=override --machine=%i
KillMode=mixed
Type=notify
RestartForceExitStatus=133
SuccessExitStatus=133
Slice=machine.slice
Delegate=yes
DelegateSubgroup=supervisor
CoredumpReceive=yes
TasksMax=16384
WatchdogSec=3min
DevicePolicy=closed
DeviceAllow=/dev/net/tun rwm
DeviceAllow=char-pts rw
# nspawn itself needs access to /dev/loop-control and /dev/loop, to implement
# the --image= option. Add these here, too.
DeviceAllow=/dev/loop-control rw
DeviceAllow=block-loop rw
DeviceAllow=block-blkext rw
# nspawn can set up LUKS encrypted loopback files, in which case it needs
# access to /dev/mapper/control and the block devices /dev/mapper/*.
DeviceAllow=/dev/mapper/control rw
DeviceAllow=block-device-mapper rw
[Install]
WantedBy=machines.target
Mknod capability is present:
root at bookworm:/# capsh --print |grep mknod
Bounding set =cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_owner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap
The sd_devices BPF program is attached to the cgroup:
sudo bpftool cgroup show /sys/fs/cgroup/machine.slice/systemd-nspawn at debtest.service/
ID AttachType AttachFlags Name
68 cgroup_device multi sd_devices
/mnt is not mounted with restrictions:
tmpfs on /mnt type tmpfs (rw,relatime,uid=1189085184,gid=1189085184)
But still:
root at bookworm:/# mknod /mnt/null c 1 3
mknod: /mnt/null: Operation not permitted
So what am I missing here?
-Sietse
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20241115/11742e73/attachment.htm>
More information about the systemd-devel
mailing list