On Wed, Aug 17, 2016 at 12:38:10PM -0500, jsl6uy js16uy wrote:
> Hello all, hope all is well
>
> Issue: Any way to give granular mknod capabilities to a container? Only
> allow creation of specific device?
>
> bit of background
>
> Have a laptop running arch and libvirt
> loading an arch lxc container created from lxc-create
> Overall container is up and running, I use it for vpn connections
>
> Initially it would not setup of the tun device. Previously using just the
> lxc tool set, I can edit the lxc.conf config file for the container and
> allow device creation of just the tun device.
>
> In libvirt I can add capabilities for mknod, but seems to be blanket for
> any device creation within the container? Is this correct?
If you know what device you want do you don't need to allow mknod at
all, just tell libvirt to create it for you eg
<hostdev mode='capabilities' type='misc'>
<source>
<char>/dev/net/tun</char>
</source>
</hostdev>
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|