Kvm nested in LXC, problem accessing /dev/kvm inside lxc - Debian11

shadeimi · April 29, 2022, 8:19am

As root on the container:
root@Android10 ~# cat init.sh

mknod /dev/kvm c 10 232
chmod 777 /dev/kvm
chown root:kvm /dev/kvm
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 777 /dev/net/tun
chown root:root /dev/net/tun

usermod -aG docker root
usermod -aG docker android

usermod -aG kvm root
usermod -aG kvm android

docker run --privileged -d -p 6080:6080 -p 5554:5554 -p 5555:5555 -e DEVICE=“Samsung Galaxy S10” f48b3c678d6a

got:

root@Android10 ~# docker exec -it nifty_rhodes tail -f /var/log/supervisor/docker-android.stderr.log
The KVM line in /etc/group is: [kvm:x:104:]

If the current user has KVM permissions,
the KVM line in /etc/group should end with “:” followed by your username.

If we see LINE_NOT_FOUND, the kvm gr
More info on configuring VM acceleration on Linux:

General information on acceleration: https://developer.android.com/studio/run/emulator-acceleration.

kvm:x:102:root,android is present into /etc/group

LXC config for container
root@qatesting:/var/lib/lxc/105# cat config
lxc.cgroup.relative = 0
lxc.cgroup.dir.monitor = lxc.monitor/105
lxc.cgroup.dir.container = lxc/105
lxc.cgroup.dir.container.inner = ns
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/debian.common.conf
lxc.apparmor.profile = generated
lxc.apparmor.allow_nesting = 1
lxc.apparmor.raw = mount fstype=fuse,
lxc.mount.entry = /dev/fuse dev/fuse none bind,create=file 0 0
lxc.monitor.unshare = 1
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = Android10
lxc.cgroup2.memory.max = 17179869184
lxc.cgroup2.memory.swap.max = 8589934592
lxc.rootfs.path = /var/lib/lxc/105/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth105i0
lxc.net.0.hwaddr = B2:C9:5A:55:FC:6A
lxc.net.0.name = eth0
lxc.net.0.script.up = /usr/share/lxc/lxcnetaddbr
lxc.cgroup2.cpuset.cpus = 5,7-8,20-21,26,28,30

cat /usr/share/lxc/config/debian.common.conf

This derives from the global common config

lxc.include = /usr/share/lxc/config/common.conf

Doesn’t support consoles in /dev/lxc/

lxc.tty.dir =

When using LXC with apparmor, the container will be confined by default.

If you wish for it to instead run unconfined, copy the following line

(uncommented) to the container’s configuration file.

lxc.apparmor.profile = unconfined

If you wish to allow mounting block filesystems, then use the following

line instead, and make sure to grant access to the block device and/or loop

devices below in lxc.cgroup.devices.allow.

lxc.apparmor.profile = lxc-container-default-with-mounting

Extra cgroup device access

rtc

LXC.cgroup.devices.allow = c 254:0 rm

tun

LXC.cgroup.devices.allow = c 10:200 rwm

hpet

LXC.cgroup.devices.allow = c 10:228 rwm

kvm

LXC.cgroup.devices.allow = c 10:232 rwm

To use loop devices, copy the following line to the container’s

configuration file (uncommented).

LXC.cgroup.devices.allow = b 7:* rwm

lxc.cgroup.devices.allow = a
lxc.cap.drop =
lxc.cgroup.devices.allow = c : m
lxc.cgroup.devices.allow = b : m
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 254:0 rm
lxc.cgroup.devices.allow = c 10:229 rwm
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.cgroup.devices.allow = c 1:7 rwm
lxc.cgroup.devices.allow = c 10:228 rwm
lxc.cgroup.devices.allow = c 10:232 rwm

** uname -a **
Linux qatesting 5.13.19-2-pve #1 SMP PVE 5.13.19-4 (Mon, 29 Nov 2021 12:10:09 +0100) x86_64 GNU/Linux

I’m working on an unprivileged container with fuse=1 and nesting=1 via Proxmox. Could anyone help me?