Writing to /dev/nipalk. Permission Not Permitted


I am trying to use a VISA driver provided by National Instrument from within an LXC container.

Problem: I am getting ‘Operation not permitted’ when trying to write to the driver’s platform abstraction layer (in the form of /dev/nipalk).

root@agent-ubuntu:/home/agent/build# echo 0 > /dev/nipalk
bash: /dev/nipalk: Operation not permitted

I tried installing and using the driver on my native OS, which worked fine. In theory, the driver should just work with the underlying TCP/IP socket, and using the raw TCP/IP socket works in the container, so I don’t think anything is inherently preventing it from working and it’s a matter of giving it the appropriate access right.

Also quickly checking the owner and group, I don’t see anything obviously wrong.
crw-rw-rw- 1 root root 509, 0 Dec 5 01:24 nipalk

root@agent-ubuntu:/home/agent/build# whoami

I have read several threads which have mentioned concepts like uid mapping, and cgroup setting which are still relatively unfamiliar to me. So I am hoping if I could get some help here on checking these configs in case that’s what I am missing.

I will also post on the National Instrument’s forum but I feel like this problem could be more on the LXC side.


LXC config below:

lxc.include = /usr/share/lxc/config/common.conf
lxc.arch = linux64
# Container specific configuration
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:13:ea:77
lxc.net.1.type = veth
lxc.net.1.flags = up
lxc.net.1.link = br-1
lxc.net.1.ipv4.address =
lxc.net.2.type = veth
lxc.net.2.flags = up
lxc.net.2.link = br-1
lxc.net.2.ipv4.address =
lxc.rootfs.path = dir:/var/lib/lxc/agent-ubuntu/rootfs
lxc.uts.name = agent-ubuntu

Setup info:
Host OS: Ubuntu 20.04
Container OS: Ubuntu 22.04

If this thing is an actual device, you’re going to need a lxc.cgroup.devices.allow or lxc.cgroup2.devices.allow entry for it (depending on whether your system uses cgroupv1 or cgroupv2).

By default, you’re only allowed to create device node (mknod) but not interact with them without an allow entry for it.

Ayy! That’s what I was missing. Thank you!