Hi, using systemd 219-25 on Fedora 22 on a freshly created container I can not make any device. Usage of --capability=CAP_MKNOD makes no difference.
Steps to reproduce: [root@nbl ~]# machinectl pull-raw --verify=no http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz [root@nbl ~]# systemd-nspawn --capability=CAP_MKNOD -M Fedora-Cloud-Base-20141203-21.x86_64 [root@Fedora-Cloud-Base-20141203-21 ~]# strace -f mknod /dev/loop0 b 7 0 mknod("/dev/loop0", S_IFBLK|0666, makedev(7, 0)) = -1 EPERM (Operation not permitted) Also when bind-mounting e.g. /dev/loop-control and /dev/loop0 into the container I can not use them. [root@nbl ~]# systemd-nspawn --bind=/dev/loop-control:/dev/loop-control --bind=/dev/loop0:/dev/loop0 --bind=/dev/loop1:/dev/loop1 --capability=CAP_MKNOD -M Fedora-Cloud-Base-20141203-21.x86_64 [root@Fedora-Cloud-Base-20141203-21 ~]# losetup -a /dev/loop0: []: (/var/lib/machines/Fedora-Cloud-Base-20141203-21.x86_64.raw) [root@Fedora-Cloud-Base-20141203-21 ~]# strace -f losetup -f .bash_history [...] stat("/dev/loop-control", {st_mode=S_IFCHR|0660, st_rdev=makedev(10, 237), ...}) = 0 open("/dev/loop-control", O_RDWR|O_CLOEXEC) = -1 EPERM (Operation not permitted) [...] stat("/dev/loop1", {st_mode=S_IFBLK|0660, st_rdev=makedev(7, 1), ...}) = 0 stat("/dev/loop1", {st_mode=S_IFBLK|0660, st_rdev=makedev(7, 1), ...}) = 0 open("/sys/dev/block/7:1", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) getcwd("/root", 4096) = 6 lstat("/root/.bash_history", {st_mode=S_IFREG|0600, st_size=322, ...}) = 0 open("/root/.bash_history", O_RDWR|O_CLOEXEC) = 3 open("/dev/loop1", O_RDWR|O_CLOEXEC) = -1 EPERM (Operation not permitted) All of this worked with systemd-216 in Fedora 21. I know that with CAP_MKNOD and usage of devices I am suffering from less isolation in the container - but this is intentionally and for sure it must be possible to make a simle loop device. Best regards Joachim von Thadden -- Joachim von Thadden E-Mail: [email protected] Web: www.7p-group.com ________________________________ Aufsichtsrat: Prof. Dr. h.c. Hans Albert Aukes Vorstandsvorsitzender: Joseph Kronfli Handelsregister: HRB 30660 | USt-ID-Nr.: DE197820124 | Steuer-Nr.: 218/5734/1640 Sitz der Gesellschaft: Köln | Registriergericht: Amtsgericht Köln Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein sollten, beachten Sie bitte, dass jede Form der Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail unzulässig ist. Wir bitten Sie sofort den Absender zu informieren und die E-Mail zu löschen. The information contained in this e-mail is intended solely for the addressee. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, any form of disclosure, reproduction, distribution or any action taken or refrained from in reliance on it, is prohibited and may be unlawful. Please notify the sender immediately and destroy this e-mail.
<<attachment: joachim_von-thadden.vcf>>
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
