Lxc cgroup devices deny usseless

LXC version:3.2.1

1. First show my config:

# CGroup whitelist
lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m

I have not give allow to device “c 248:2 rwm” --> /dev/ttyO2

2. Then I create and start my container named test2

3. after container running I add /dev/ttyO2 to test2

# lxc-device -n test2 add /dev/ttyO2

4.test2 should not allow to open /dev/ttyO2,but it can be open

5. Then i del /dev/ttyO2 to test2 from test2

# lxc-device -n test2 del /dev/ttyO2

6. Then add it again

# lxc-device -n test2 add /dev/ttyO2

7. Then open /dev/ttyO2 in container test2 again return "Operation not permitted"

I am very puzzled.I need help.

lxc-device is meant to inject a new device in the container and make it usable by it, as a result, the internal API call add_device_node both passes the device AND allows access to it through cgroups.

Thanks very much!

I configure "lxc.cgroup.devices.deny = a" that not allow device to read and write in container. As I have not configure "lxc.cgroup.devices.allow = c 248:2 rwm" for/dev/ttyO2 to be allowed to read and write in my container. When I use # lxc-device -n test2 add /dev/ttyO2 move the device to the container. It should not allowed to be read and write.
How can I solve this problem?


Add more .
After I lxc-device -n test2 del /dev/ttyO2 and lxc-device -n test2 add /dev/ttyO2 again ,then I try to open the /dev/ttyO2 it return "Operation not permitted". This is my problem.