New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lxd: enable security.syscalls.intercept.mknod if supported to allow snaps to create some device nodes #3218
Conversation
3cd309d
to
ed194dc
Compare
So it looks like I've got something working on the 18.04 and 20.04 systems, but introduces a general failure on 16.04:
It seems 16.04's kernel is missing the features needed to implement this syscall interception feature. It looks like we should be able to detect this through the pylxd client though. I'll give that a go. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nicely done, really like the stepped approach here
summary: Verify LXD builds can make (some) device nodes | ||
|
||
systems: | ||
- -ubuntu-16.04* # kernel does not support syscall interception |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TIL you can filter out systems :D
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. This one is particularly exciting for me :D I think the first snap I tried building with LXD did a mknod and it exploded. I figured "oh this must be a reason why LXD is marked experimental".
No idea what that project was, and I've never seen the issue since! Since LXD is still marked experimental, maybe we can drop that now lol.
./runtests.sh static
?./runtests.sh tests/unit
?When building a bootable base snap, it is common to include a few device files in
/dev
for the benefit of anything running in early boot before udev/devtmpfs is available.However, trying to build such a snap with the LXD build provider fails because the
mknod
syscall is blocked by default for unprivileged containers. LXD does provide a way to give unprivileged containers limited access to the syscall for device nodes it considers safe:https://linuxcontainers.org/lxd/docs/master/syscall-interception#mknod-mknodat
This safe set of devices includes all of the ones included in the
core18
andcore20
snaps, so enabling it should allow bases like that to be built under LXD.