Am 19.11.2015 um 18:35 schrieb Filipe Brandenburger: > Hi, > > On Thu, Nov 19, 2015 at 7:42 AM, von Thadden, Joachim, SEVEN > PRINCIPLES <[email protected]> wrote: >> using systemd 219-25 on Fedora 22 on a freshly created container I can not >> make any >> device. Usage of --capability=CAP_MKNOD makes no difference. >> >> Steps to reproduce: >> [root@nbl ~]# machinectl pull-raw --verify=no >> http://ftp.halifax.rwth-aachen.de/fedora/linux/releases/21/Cloud/Images/x86_64/Fedora-Cloud-Base-20141203-21.x86_64.raw.xz >> [root@nbl ~]# systemd-nspawn --capability=CAP_MKNOD -M >> Fedora-Cloud-Base-20141203-21.x86_64 >> [root@Fedora-Cloud-Base-20141203-21 ~]# strace -f mknod /dev/loop0 b 7 0 >> mknod("/dev/loop0", S_IFBLK|0666, makedev(7, 0)) = -1 EPERM (Operation not >> permitted) > This is likely being caused by the use of the "devices" namespace, > which prevents you from using specific character and block devices > inside a cgroup. nspawn now sets these by default. > > Calling systemd-nspawn with --property='DeviceAllow=/dev/loop0 rwm' > should allow it to mknod and later use it in losetup as well.
This is good news, but in systemd 219 (Fedora 22) --property is not yet
implemented. So
this might be a solution for Fedora 23. But your hint was right and you are my
hero for
today! Just echoing the devices to the right cgroup machine.slice entry after
starting the
container does the trick with FC22/systemd 219:
[root@nbl ~]# echo "c 10:237 rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-Fedora\\x2dCloud\\x2dBase\\x2d23\\x2d20151030.x86_64.scope/devices.allow
[root@nbl ~]# echo "b 7:1 rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-Fedora\\x2dCloud\\x2dBase\\x2d23\\x2d20151030.x86_64.scope/devices.allow
[root@nbl ~]# echo "b 7:0 rwm" >
/sys/fs/cgroup/devices/machine.slice/machine-Fedora\\x2dCloud\\x2dBase\\x2d23\\x2d20151030.x86_64.scope/devices.allow
[root@nbl ~]# cat
/sys/fs/cgroup/devices/machine.slice/machine-Fedora\\x2dCloud\\x2dBase\\x2d23\\x2d20151030.x86_64.scope/devices.list
c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 10:200 rwm
c 5:2 rw
c 136:* rw
c 10:237 rwm
b 7:1 rwm
b 7:0 rwm
[root@nb0925-l ~]#
After that you can make the device nodes (interestingly without the need to
give CAP_MKNOD
to the container, but in fact that would be a redundancy) or use the --bind and
everything
works again.
Thanks a lot
Joachim
--
Joachim von Thadden
Lead Technical Architect
SEVEN PRINCIPLES AG
Ernst-Dietrich-Platz 2
40882 Ratingen
Mobil: +49 162 261 64 66
Tel: +49 2102 557 100
Fax: +49 2102 557 101
E-Mail: [email protected]
Web: www.7p-group.com
________________________________
Aufsichtsrat: Prof. Dr. h.c. Hans Albert Aukes
Vorstandsvorsitzender: Joseph Kronfli
Handelsregister: HRB 30660 | USt-ID-Nr.: DE197820124 | Steuer-Nr.: 218/5734/1640
Sitz der Gesellschaft: Köln | Registriergericht: Amtsgericht Köln
Der Inhalt dieser E-Mail ist ausschließlich für den bezeichneten Adressaten
bestimmt. Wenn Sie nicht der vorgesehene Adressat dieser E-Mail oder dessen
Vertreter sein sollten, beachten Sie bitte, dass jede Form der
Veröffentlichung, Vervielfältigung oder Weitergabe des Inhalts dieser E-Mail
unzulässig ist. Wir bitten Sie sofort den Absender zu informieren und die
E-Mail zu löschen.
The information contained in this e-mail is intended solely for the addressee.
Access to this e-mail by anyone else is unauthorized. If you are not the
intended recipient, any form of disclosure, reproduction, distribution or any
action taken or refrained from in reliance on it, is prohibited and may be
unlawful. Please notify the sender immediately and destroy this e-mail.
<<attachment: joachim_von-thadden.vcf>>
_______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
