[pkg-lxc-devel] Bug#1008196: lxc-templates: Permission issues on device nodes: move to cgroups2

Goblin debbugs at uukgoblin.net
Thu Mar 24 09:07:43 GMT 2022 

Package: lxc-templates
Version: 3.0.4-5
Severity: normal
X-Debbugs-Cc: debbugs at uukgoblin.net

Dear Maintainer,

   * What led up to the situation?

   I started a debian-based LXC guest and tried to use OpenVPN inside
   it.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

   I created /dev/net/tun in the container's `config` file with
   `lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file`.
   Also tried using `mknod` inside the container, that seems to have
   worked too. I made sure the permissions on that device node where
   0666.

   * What was the outcome of this action?
   
   I got the device, but opening it (either with OpenVPN or simply
   `cat`ting it) resulted in a Permission denied error.

   * What outcome did you expect instead?

   I expected openvpn to work inside the container. `cat /dev/net/tun`
   should be returning "File descriptor in bad state" rather than
   "Permission denied".

I tried adding `lxc.cgroup.devices.allow = c 10:200 rwm` to my
container's config as found on various online help sites, but that did
not help on my system.

I later found that `/usr/share/lxc/config/debian.common.conf` also
contains such lines, but it turns out (as a helpful person on IRC
pointed out), that we've now moved to cgroup2. So all these lines in
that file should probably be changed to `lxc.cgroup2.devices.allow`.
Changing that in my container's config file made it work, i.e. I can
now access `/dev/net/tun` inside it fine.


-- System Information:
Debian Release: 11.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.14.0-0.bpo.2-amd64 (SMP w/16 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_CRAP, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lxc-templates depends on:
ii  lxc  1:4.0.6-2

Versions of packages lxc-templates recommends:
ii  bridge-utils       1.7-1
ii  busybox-static     1:1.30.1-6+b3
ii  cloud-image-utils  0.31-2
ii  debootstrap        1.0.123
ii  distro-info        1.0
ii  mmdebstrap         0.7.5-2.2
ii  openssl            1.1.1k-1+deb11u1
ii  rsync              3.2.3-4+deb11u1
ii  uuid-runtime       2.36.1-8+deb11u1
ii  xz-utils           5.2.5-2

Versions of packages lxc-templates suggests:
pn  qemu-user-static  <none>

-- no debconf information

More information about the Pkg-lxc-devel mailing list