[libvirt-users] libvirt-lxc capabilities mknod
Hello all, hope all is well Issue: Any way to give granular mknod capabilities to a container? Only allow creation of specific device? bit of background Have a laptop running arch and libvirt loading an arch lxc container created from lxc-create Overall container is up and running, I use it for vpn connections Initially it would not setup of the tun device. Previously using just the lxc tool set, I can edit the lxc.conf config file for the container and allow device creation of just the tun device. In libvirt I can add capabilities for mknod, but seems to be blanket for any device creation within the container? Is this correct? Thanks and Regards
On Wed, Aug 17, 2016 at 12:38:10PM -0500, jsl6uy js16uy wrote:
Hello all, hope all is well
Issue: Any way to give granular mknod capabilities to a container? Only allow creation of specific device?
bit of background
Have a laptop running arch and libvirt loading an arch lxc container created from lxc-create Overall container is up and running, I use it for vpn connections
Initially it would not setup of the tun device. Previously using just the lxc tool set, I can edit the lxc.conf config file for the container and allow device creation of just the tun device.
In libvirt I can add capabilities for mknod, but seems to be blanket for any device creation within the container? Is this correct?
If you know what device you want do you don't need to allow mknod at all, just tell libvirt to create it for you eg <hostdev mode='capabilities' type='misc'> <source> <char>/dev/net/tun</char> </source> </hostdev> Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
Very Nice. Will try that path and keep that in mind future forward! Thanks very much Regards On Thu, Aug 18, 2016 at 2:48 AM, Daniel P. Berrange <berrange@redhat.com> wrote:
On Wed, Aug 17, 2016 at 12:38:10PM -0500, jsl6uy js16uy wrote:
Hello all, hope all is well
Issue: Any way to give granular mknod capabilities to a container? Only allow creation of specific device?
bit of background
Have a laptop running arch and libvirt loading an arch lxc container created from lxc-create Overall container is up and running, I use it for vpn connections
Initially it would not setup of the tun device. Previously using just the lxc tool set, I can edit the lxc.conf config file for the container and allow device creation of just the tun device.
In libvirt I can add capabilities for mknod, but seems to be blanket for any device creation within the container? Is this correct?
If you know what device you want do you don't need to allow mknod at all, just tell libvirt to create it for you eg
<hostdev mode='capabilities' type='misc'> <source> <char>/dev/net/tun</char> </source> </hostdev>
Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange -
jsl6uy js16uy