Automatically populating /dev in a highly-privileged container


Can a highly-privileged container be configured so that /dev is automatically populated with most/all of the host’s devices?

The goal is for the container’s /dev to be similar to the host’s /dev, with access to all of the host’s block devices, GPU, webcam etc. The container should also have access to hot-plugged devices. Halting the container should not halt the host. I am interested in solutions for either lxc or lxd.

The usual, non-automatic, way to add devices to a container is to enumerate the devices in lxc.hook.autodev.

A sufficiently-privileged container can run udev, so I had hoped that udev would populate /dev. But that didn’t work.

The highly-privileged configuration that I tested with an ubuntu-20.04 privileged container is:

lxc.apparmor.profile = unconfined
lxc.seccomp.profile =
lxc.cap.drop =
lxc.cgroup.devices.deny =
lxc.cgroup.devices.allow =
lxc.cgroup.devices.allow = a =
lxc.autodev = 1     # required by systemd

Inside the container I tried running,

udevadm trigger --action=add

but that did not add any entries to /dev.