Kubernetes cluster doesn't start properly in LXD unless lxc.cgroup.devices.allow=a

I’m trying to setup Nvidia’s Clara SDK in LXD Ubuntu 18.04 container. In order for it to launch properly, it requires lxc.cgroup.devices.deny=a

I’m trying to not expose all devices to the container. Is there something that I’m missing in regards to cni0 and flannel.1?

Debugging:
With the lxc.cgroup.devices.deny=a
172.17.0.1 (docker0)
10.21.152.10 (eth0)

With the lxc.cgroup.devices.allow=a
172.17.0.1 (docker0)
10.244.0.1 (cni0)
10.244.0.0 (flannel.1)
10.21.152.10 (eth0)

-------------- Below is the config
config:
limits.cpu: “4”
limits.memory: 8GB
linux.kernel_modules: xt_conntrack,ip_tables,ip6_tables,netlink_diag,nf_nat,overlay
raw.lxc: “lxc.apparmor.profile=unconfined\nlxc.cgroup.devices.allow=a\nlxc.cgroup.devices.allow=c : m\nlxc.cgroup.devices.allow=b : m\nlxc.cgroup.devices.allow=c 195:7 rwm\nlxc.cgroup.devices.allow=c 5:1 rwm\nlxc.cgroup.devices.allow=c 10:229 rwm\nlxc.cgroup.devices.allow=c 1:3 rwm\nlxc.cgroup.devices.allow=c 5:2 rwm\nlxc.cgroup.devices.allow=c 136:* rwm\nlxc.cgroup.devices.allow=c 1:8 rwm\nlxc.cgroup.devices.allow=c 254:0 rwm\nlxc.cgroup.devices.allow=c 5:0 rwm\nlxc.cgroup.devices.allow=c 1:9 rwm\nlxc.cgroup.devices.allow=c 1:5 rwm\nlxc.cgroup.devices.allow = c 4:0 rwm\nlxc.cgroup.devices.allow = c 195:254 rwm\nlxc.cgroup.devices.allow = c 195:255 rwm\nlxc.cgroup.devices.allow = c 235:0 rwm\nlxc.cgroup.devices.allow = c 235:1 rwm\nlxc.cgroup.devices.allow = c 10:241 rwm\nlxc.cgroup.devices.allow = c 10:200 rwm\nlxc.cgroup.devices.allow = c 10:238 rwm\nlxc.cap.drop=\nlxc.mount.auto=proc:rw sys:rw\nlxc.mount.entry=/dev/kmsg dev/kmsg none defaults,bind,create=file”
security.nesting: “true”
security.privileged: “true”
description: Kubernetes LXD profile
devices:
eth0:
name: eth0
nictype: bridged
parent: lxdbr0
type: nic
kvm:
path: /dev/kvm
type: unix-char
tun:
path: /dev/net/tun
type: unix-char
root:
path: /
pool: local
type: disk
vhost-net:
mode: “0600”
path: /dev/vhost-net
type: unix-char
vhost-vsock:
path: /dev/vhost-vsock
type: unix-char
name: kubernetes
used_by:

  • /1.0/instances/clara-deploy-sdk
1 Like