On Mon, 05 Aug 2024 at 14:52:04 +0200, Paride Legovini wrote:
> On doing 2>/dev/null, I believe that a-v-unshare runs tests without a
> populated /dev
If true, then that's an important bug in a-v-unshare. Our testbeds
should all be tolerably realistic systems that meet the minimum "API"
requirements for a reasonable Debian chroot/container.
Concretely, I think all of our container backends should set up at least
a minimal /dev, something similar to
`bwrap --ro-bind / / --dev /dev ls /dev` in bubblewrap:
console
core -> /proc/kcore (I don't think this one is actually important)
fd -> /proc/self/fd
full
null
ptmx -> pts/ptmx
pts/
random
shm/
stderr -> /proc/self/fd/2
stdin -> /proc/self/fd/0
stdout -> /proc/self/fd/1
tty
urandom
zero
My understanding is that this is exactly the set of device nodes that it's
possible to set up by using user namespaces, without special privileges
(plus some easy symlinks). debootstrap and pbuilder create a similar set.
smcv
