Hi all,
cgroup2 does not implement a device cgroup controller any more. I’m wondering what the practical implications of this are since Ubuntu 22.04 defaults to the unified hierachy.
- Can a privileged container do whatever it wants with device nodes in cgroup2?
- On cgroupv1, do I get full device node access from a privileged container if I don’t compile the devices cgroup controller into the kernel?
- What happens if I have some “lxc.cgroup.devices.allow” stanzas inside LXD profiles? They don’t seem to hurt, I only got into trouble once I tried running LXD 3 containers within LXD 4 containers…
I’m doing a funny migration from Ubuntu 18.04 (LXD 3 .deb) to 22.04 (LXD 4 homegrown .deb) with a slightly dated 4.9 kernel.
Thanks!
Christoph