Hi, After the comments here, I had a look closer look at the docker code. The problem was that it would always try to create some default devices <https://github.com/docker/libcontainer/blob/master/configs/device_defaults.go> without it checking if it had the permissions to do so. For now, I've created a fork of docker and added a fix to create the devices only if the devices cgroup is present <https://github.com/akshaykarle/docker/commit/0299d2c2084d7f42e7c2c433fca7f5ab3066d2be>. This seems to work and I'm now able to run docker inside unprivileged LXC containers.
But I don't know if just checking for the devices cgroup mountpoint is the right fix. I feel the right way would be to create only those devices that are allowed by lxc.cgroup.devices.allow, but I don't know how I can check the devices enabled in the unprivileged lxc container itself. Any way to do so? On Mon, Jun 15, 2015 at 2:42 PM Serge Hallyn <[email protected]> wrote: > Quoting Stewart Brodie ([email protected]): > > Serge Hallyn <[email protected]> wrote: > > > > > Quoting Stewart Brodie ([email protected]): > > > > > However, another far neater way of doing this could be to use the > > > > freezer instead. Just give lxc-start a new command-line option to > start > > > > the container *but* crucially, leave it frozen when lxc-start exits. > > > > The caller can then just do lxc-start, lxc-device, lxc-unfreeze. > > > > > > [can you run lxc-device on a frozen container?] > > > > For future reference, this does indeed work. I like the idea, because it > > would allow all sorts of fettling to go on with the new container from > the > > host side before it really starts executing. > > fwiw I'm not opposed to this if someone wants to code it up. Basically > right before exec(2)ing /sbin/init, the task would freeze itself. > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
