lxd: enable security.syscalls.intercept.mknod if supported to allow snaps to create some device nodes

[jhenstridge]

• Have you followed the guidelines for contributing?
• Have you signed the CLA?
• Have you successfully run ./runtests.sh static?
• Have you successfully run ./runtests.sh tests/unit?

---

When building a bootable base snap, it is common to include a few device files in /dev for the benefit of anything running in early boot before udev/devtmpfs is available.

However, trying to build such a snap with the LXD build provider fails because the mknod syscall is blocked by default for unprivileged containers. LXD does provide a way to give unprivileged containers limited access to the syscall for device nodes it considers safe:

https://linuxcontainers.org/lxd/docs/master/syscall-interception#mknod-mknodat

This safe set of devices includes all of the ones included in the core18 and core20 snaps, so enabling it should allow bases like that to be built under LXD.

[jhenstridge]

So it looks like I've got something working on the 18.04 and 20.04 systems, but introduces a general failure on 16.04:

Sorry, an error occurred in Snapcraft:
An error occurred with the instance when trying to start with 'LXD': Common start logic: System doesn't support syscall interception.
Ensure that 'LXD' is setup correctly and try again.

It seems 16.04's kernel is missing the features needed to implement this syscall interception feature. It looks like we should be able to detect this through the pylxd client though. I'll give that a go.

[sergiusens]

Nicely done, really like the stepped approach here

[cjp256]

TIL you can filter out systems :D

[cjp256]

LGTM. This one is particularly exciting for me :D I think the first snap I tried building with LXD did a mknod and it exploded. I figured "oh this must be a reason why LXD is marked experimental".

No idea what that project was, and I've never seen the issue since! Since LXD is still marked experimental, maybe we can drop that now lol.