How to pass host /dev file to unprivileged containers

I have created an unprivileged container with non-root user running OpenWrt in Debian Bullseye. However, PPPoE inside the container is not working. I have searched a lot of answers and came up with a pretty clumsy solution

  1. Change the ownership of /dev/ppp (suppose the root user in the container is 100000):
    # chown 100000:100000 /dev/ppp
  2. Modify the container’s config file to bind mount /dev/ppp:
    lxc.mount.entry = /dev/ppp dev/ppp none bind,optional,create=file
  3. Add /dev/ppp via lxc-device:
    $ lxc-device -n container add /dev/ppp

However, every time the system boots, the ownership of /dev/ppp will return to root and I have to change it every time. There are some answers recommend using cgroup, but Debian suggests using cgroup2 and I tried to add
lxc.cgroup2.devices.allow = c 108:0 rwm
to the config file, it does not work. Is there a solution that can work between reboots?

I’m not sure why you have to change the ownership. I’m using this without any other changes and it works just fine:

devices:
  ppp:
    source: /dev/ppp
    type: unix-char

you might want to add the correct module (e.g. pppoe) to config.linux.kernel_modules though to make sure the device is available on boot.

host:

# ls -lah /dev/ppp
crw-------    1 root     root      108,   0 Aug 21 05:35 /dev/ppp

container:

crw-rw----    1 root     root      108,   0 Aug 21 05:35 /dev/ppp

This is because LXD creates a copy of the devices for you with the correct ownership.

With LXC you either have to change the ownership or create a copy of the device and set the ownership on the copy.

1 Like

By copying, do you mean using mknod?

Yes exactly right.