podman incus container corrupts the device files on the host

[r3flow]

Almalinux 9.3. The container was created by running the exact "podman run" command given in the readme file. Then host reboot. The most problematic part is changing the /dev/null permissions on the host, which breaks everything.

# ls -al /dev > /tmp/pre

# podman start incus
incus

# sleep 5

# ls -al /dev > /tmp/post

# diff -Nau /tmp/pre /tmp/post 

--- /tmp/pre
+++ /tmp/post
@@ -7,7 +7,7 @@
 drwxr-xr-x   2 root root          80 May  4 19:46 bsg
 drwxr-xr-x   3 root root          60 May  4 19:45 bus
 lrwxrwxrwx   1 root root           3 May  4 19:46 cdrom -> sr0
-drwxr-xr-x   2 root root        3040 May  4 19:46 char
+drwxr-xr-x   2 root root        3060 May  4 19:46 char
 crw--w----   1 root tty       5,   1 May  4 19:46 console
 lrwxrwxrwx   1 root root          11 May  4 19:45 core -> /proc/kcore
 drwxr-xr-x   4 root root          80 May  4 19:45 cpu
@@ -40,12 +40,12 @@
 drwxrwxrwt   2 root root          40 May  4 19:45 mqueue
 drwxr-xr-x   2 root root          60 May  4 19:46 net
 crw-------   1 root root    240,   0 May  4 19:46 ng0n1
-crw-rw-rw-   1 root root      1,   3 May  4 19:46 null
+crw--w----   1 root tty       1,   3 May  4 19:46 null
 crw-------   1 root root    241,   0 May  4 19:46 nvme0
 brw-rw----   1 root disk    259,   0 May  4 19:46 nvme0n1
 brw-rw----   1 root disk    259,   1 May  4 19:46 nvme0n1p1
 brw-rw----   1 root disk    259,   2 May  4 19:46 nvme0n1p2
-crw-------   1 root root     10, 144 May  4 19:46 nvram
+crw-r-----   1 root man      10, 144 May  4 19:46 nvram
 crw-r-----   1 root kmem      1,   4 May  4 19:46 port
 crw-------   1 root root    108,   0 May  4 19:46 ppp
 crw-rw-rw-   1 root tty       5,   2 May  4 19:46 ptmx
@@ -57,7 +57,7 @@
 brw-rw----   1 root disk      8,   0 May  4 19:46 sda
 crw-rw----+  1 root cdrom    21,   0 May  4 19:46 sg0
 crw-rw----   1 root disk     21,   1 May  4 19:46 sg1
-drwxrwxrwt   2 root root          40 May  4 19:45 shm
+drwxrwxrwt   2 root root          60 May  4 19:46 shm
 crw-------   1 root root     10, 231 May  4 19:46 snapshot
 drwxr-xr-x   2 root root          80 May  4 19:46 snd
 brw-rw----+  1 root cdrom    11,   0 May  4 19:46 sr0
@@ -165,8 +165,8 @@
 drwxr-xr-x   2 root root          60 May  4 19:46 vfio
 crw-------   1 root root     10, 127 May  4 19:46 vga_arbiter
 crw-------   1 root root     10, 137 May  4 19:46 vhci
-crw-rw-rw-   1 root kvm      10, 238 May  4 19:46 vhost-net
-crw-rw-rw-   1 root kvm      10, 241 May  4 19:46 vhost-vsock
+crw-rw----   1 root     103  10, 238 May  4 19:46 vhost-net
+crw-rw----   1 root     103  10, 241 May  4 19:46 vhost-vsock
 crw-------   1 root root     10, 123 May  4 19:46 vmci
 crw-rw-rw-   1 root root     10, 122 May  4 19:46 vsock
 crw-rw-rw-   1 root root      1,   5 May  4 19:46 zero

[cmspam]

Thank you for bringing it to my attention. I will work now to fix the issue. Hopefully I have a fix shortly and let you know.

[cmspam]

The issue was caused by using systemd init, which was in order to work around an issue with unified cgroups not allowing processor allocation limits to containers. I have reverted to the older way of running incusd directly, which doesn't touch your /dev at all, as this problem introduced is worse than the issue it solved.

Please feel free to try it. The command will have changed a bit, the README is also updated.

Resolved via commit https://github.com/cmspam/incus-docker/commit/97606911dd2d879f8f2f3d3cd8e47cc13660a339