[Bug 1843490] Re: lxc.cgroup.devices.allow prevents unprivileged container from starting
So is there a workaround? In my case, I'm trying to access an OpenCL gpu from a userland container. I was assuming that the below might be enough. lxc.mount.entry = /dev/dri/card1 dev/dri/card1 none bind,optional,create=file lxc.mount.entry = /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file lxc.cgroup.devices.allow = c 226:* rwm The mounts work (although owned by nobody:nobody instead of root:video) and the devices cgroup stanza in the config file generates the container boot error, as described above. The mounts are not enough to get opencl access in the container: running "clinfo" (the opencl diagnostic) in the container doesn't find the devices (I presume because of ... well, something to do with /dev/dri but don't really know) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843490 Title: lxc.cgroup.devices.allow prevents unprivileged container from starting To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1843490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1843490] Re: lxc.cgroup.devices.allow prevents unprivileged container from starting
"lxc.cgroup.devices" is meaningless for unprivileged containers as those can never create those devices anyway, so they'll only ever have access to whatever devices lxc provides and nothing more. All our own default configs specifically do not set that cgroup controller for unprivileged containers. The error you're getting specifically suggests that the cgroups that are delegated to your unprivileged users do not include the devices controller which does match what I'm seeing in /proc/self/cgroup on my system here. If you wanted to be able to write to the devices cgroup, you would need your user session to have the devices cgroup in /proc/self/cgroup point to a path that your user can write to. At which point the config should work, though still effectively be meaningless. ** Changed in: lxc (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1843490 Title: lxc.cgroup.devices.allow prevents unprivileged container from starting To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1843490/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
