From 0f44c2849cc6320abd71395b90e6bfe25168140f Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Tue, 20 May 2014 09:28:44 +0200 Subject: [PATCH] cgroups: Allow mknod for any device in systemd cgroup backend Without this any container startup fails: 2014/05/20 09:20:36 setup mount namespace copy additional dev nodes mknod fuse operation not permitted Docker-DCO-1.1-Signed-off-by: Alexander Larsson (github: alexlarsson) --- libcontainer/cgroups/systemd/apply_systemd.go | 21 +++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/libcontainer/cgroups/systemd/apply_systemd.go b/libcontainer/cgroups/systemd/apply_systemd.go index 52940f6..4d6b68b 100644 --- a/libcontainer/cgroups/systemd/apply_systemd.go +++ b/libcontainer/cgroups/systemd/apply_systemd.go @@ -174,13 +174,22 @@ func Apply(c *cgroups.Cgroup, pid int) (cgroups.ActiveCgroup, error) { path := filepath.Join(mountpoint, cgroup) - // /dev/pts/* - if err := ioutil.WriteFile(filepath.Join(path, "devices.allow"), []byte("c 136:* rwm"), 0700); err != nil { - return nil, err + allow := []string{ + // allow mknod for any device + "c *:* m", + "b *:* m", + + // /dev/pts/ - pts namespaces are "coming soon" + "c 136:* rwm", + + // tuntap + "c 10:200 rwm", } - // tuntap - if err := ioutil.WriteFile(filepath.Join(path, "devices.allow"), []byte("c 10:200 rwm"), 0700); err != nil { - return nil, err + + for _, val := range allow { + if err := ioutil.WriteFile(filepath.Join(path, "devices.allow"), []byte(val), 0700); err != nil { + return nil, err + } } }