12:38 p.m.
Hello all, hope all is well
Issue: Any way to give granular mknod capabilities to a container? Only
allow creation of specific device?
bit of background
Have a laptop running arch and libvirt
loading an arch lxc container created from lxc-create
Overall container is up and running, I use it for vpn connections
Initially it would not setup of the tun device. Previously using just the
lxc tool set, I can edit the lxc.conf config file for the container and
allow device creation of just the tun device.
In libvirt I can add capabilities for mknod, but seems to be blanket for
any device creation within the container? Is this correct?
Thanks and Regards
2:48 a.m.
On Wed, Aug 17, 2016 at 12:38:10PM -0500, jsl6uy js16uy wrote:
Hello all, hope all is well
Issue: Any way to give granular mknod capabilities to a container? Only
allow creation of specific device?
bit of background
Have a laptop running arch and libvirt
loading an arch lxc container created from lxc-create
Overall container is up and running, I use it for vpn connections
Initially it would not setup of the tun device. Previously using just the
lxc tool set, I can edit the lxc.conf config file for the container and
allow device creation of just the tun device.
In libvirt I can add capabilities for mknod, but seems to be blanket for
any device creation within the container? Is this correct?
If you know what device you want do you don't need to allow mknod at
all, just tell libvirt to create it for you eg
<hostdev mode='capabilities' type='misc'>
<source>
<char>/dev/net/tun</char>
</source>
</hostdev>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
9:30 a.m.
Very Nice.
Will try that path and keep that in mind future forward!
Thanks very much
Regards
On Thu, Aug 18, 2016 at 2:48 AM, Daniel P. Berrange <berrange(a)redhat.com>
wrote:
On Wed, Aug 17, 2016 at 12:38:10PM -0500, jsl6uy js16uy wrote:
> Hello all, hope all is well
>
> Issue: Any way to give granular mknod capabilities to a container? Only
> allow creation of specific device?
>
> bit of background
>
> Have a laptop running arch and libvirt
> loading an arch lxc container created from lxc-create
> Overall container is up and running, I use it for vpn connections
>
> Initially it would not setup of the tun device. Previously using just the
> lxc tool set, I can edit the lxc.conf config file for the container and
> allow device creation of just the tun device.
>
> In libvirt I can add capabilities for mknod, but seems to be blanket for
> any device creation within the container? Is this correct?
If you know what device you want do you don't need to allow mknod at
all, just tell libvirt to create it for you eg
<hostdev mode='capabilities' type='misc'>
<source>
<char>/dev/net/tun</char>
</source>
</hostdev>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/
:|
|: http://libvirt.org -o- http://virt-manager.org
:|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/
:|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc
:|
3018
days inactive
3019
days old
2 comments
2 participants
participants (2)
-
Daniel P. Berrange -
jsl6uy js16uy