Can a highly-privileged container be configured so that /dev is automatically populated with most/all of the host’s devices?
The goal is for the container’s /dev to be similar to the host’s /dev, with access to all of the host’s block devices, GPU, webcam etc. The container should also have access to hot-plugged devices. Halting the container should not halt the host. I am interested in solutions for either lxc or lxd.
The usual, non-automatic, way to add devices to a container is to enumerate the devices in lxc.hook.autodev.
A sufficiently-privileged container can run udev, so I had hoped that udev would populate /dev. But that didn’t work.
The highly-privileged configuration that I tested with an ubuntu-20.04 privileged container is:
lxc.apparmor.profile = unconfined
lxc.seccomp.profile =
lxc.cap.drop =
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
lxc.cgroup.devices.allow = a
lxc.mount.auto =
lxc.autodev = 1 # required by systemd
Inside the container I tried running,
udevadm trigger --action=add
but that did not add any entries to /dev.