On Wed, Aug 17, 2016 at 12:38:10PM -0500, jsl6uy js16uy wrote:
Hello all, hope all is well
Issue: Any way to give granular mknod capabilities to a container? Only allow creation of specific device?
bit of background
Have a laptop running arch and libvirt loading an arch lxc container created from lxc-create Overall container is up and running, I use it for vpn connections
Initially it would not setup of the tun device. Previously using just the lxc tool set, I can edit the lxc.conf config file for the container and allow device creation of just the tun device.
In libvirt I can add capabilities for mknod, but seems to be blanket for any device creation within the container? Is this correct?
If you know what device you want do you don't need to allow mknod at all, just tell libvirt to create it for you eg <hostdev mode='capabilities' type='misc'> <source> <char>/dev/net/tun</char> </source> </hostdev> Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|