search

nestybox / sysbox

An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
Apache License 2.0
2.78k stars 152 forks source link

Ensure all devices under /dev show up with proper ownership #850

Open ctalledo opened 1 week ago

ctalledo commented 1 week ago

Inside a Sysbox container, some devices show up with nobody:nogroup ownership:

/ # ls -l /dev | grep nobody
crw-rw-rw-    1 nobody   nobody      1,   7 Oct 10 01:13 full
crw-rw-rw-    1 nobody   nobody      1,   3 Oct 10 01:13 kmsg
drwxrwxrwt    2 root     nobody          40 Oct 10 02:11 mqueue
crw-rw-rw-    1 nobody   nobody      1,   3 Oct 10 01:13 null
crw-rw-rw-    1 nobody   nobody      1,   8 Oct 10 01:13 random
crw-rw-rw-    1 nobody   nobody      5,   0 Oct 10 02:41 tty
crw-rw-rw-    1 nobody   nobody      1,   9 Oct 10 01:13 urandom
crw-rw-rw-    1 nobody   nobody      1,   5 Oct 10 01:13 zero

This is not ideal and sometimes causes problems (e.g., issue #839 ).

Ideally all these devices would show up with root:root ownership, as they would on a real host.

This likely requires that Sysbox intercept the mknod system call inside the container, as otherwise this syscall is blocked within the Sysbox container's user namespace.

rodnymolina commented 1 week ago

Either that, or we run mknod in the init namespaces (through sys-mgr) and bind-mount these nodes into each container. I like the idea of intercepting mknod though since it offers a better virtual-host abstraction.