`failed to write a *:* rwm to devices.allow ... operation not permitted` in privileged container

Thanks @stgraber - after also adding lxc.cap.drop= flannel actually works. The raw lxc config now is:

lxc.aa_profile=unconfined
lxc.mount.auto=proc:rw sys:rw cgroup:rw
lxc.cgroup.devices.allow=a
lxc.cap.drop=