How to pass host /dev file to unprivileged containers

Icarusradio · August 23, 2022, 1:05pm

I have created an unprivileged container with non-root user running OpenWrt in Debian Bullseye. However, PPPoE inside the container is not working. I have searched a lot of answers and came up with a pretty clumsy solution

Change the ownership of /dev/ppp (suppose the root user in the container is 100000):
# chown 100000:100000 /dev/ppp
Modify the container’s config file to bind mount /dev/ppp:
lxc.mount.entry = /dev/ppp dev/ppp none bind,optional,create=file
Add /dev/ppp via lxc-device:
$ lxc-device -n container add /dev/ppp

However, every time the system boots, the ownership of /dev/ppp will return to root and I have to change it every time. There are some answers recommend using cgroup, but Debian suggests using cgroup2 and I tried to add
lxc.cgroup2.devices.allow = c 108:0 rwm
to the config file, it does not work. Is there a solution that can work between reboots?

m1cha · August 23, 2022, 2:48pm

I’m not sure why you have to change the ownership. I’m using this without any other changes and it works just fine:

devices:
  ppp:
    source: /dev/ppp
    type: unix-char

you might want to add the correct module (e.g. pppoe) to config.linux.kernel_modules though to make sure the device is available on boot.

host:

# ls -lah /dev/ppp
crw-------    1 root     root      108,   0 Aug 21 05:35 /dev/ppp

container:

crw-rw----    1 root     root      108,   0 Aug 21 05:35 /dev/ppp

tomp · August 23, 2022, 2:51pm

This is because LXD creates a copy of the devices for you with the correct ownership.

With LXC you either have to change the ownership or create a copy of the device and set the ownership on the copy.

Icarusradio · August 24, 2022, 2:03am

By copying, do you mean using mknod?

tomp · August 24, 2022, 7:15am

Yes exactly right.