3

I want to allow my libvirt/lxc containers to use tun/tap device. In order to do so I for a running container I can add it to the allowed devices by:

# echo "c 10:200 rwm" > /sys/fs/cgroup/devices/libvirt/lxc/client-1/devices.allow

resulting in:

# cat /sys/fs/cgroup/devices/libvirt/lxc/client-1/devices.list
c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 5:2 rwm
c 136:* rwm
c 10:200 rwm

However I'm having some difficulties on making this the default setting for every container.

Googling shows that changing /etc/cgconfig.conf to 

group libvirt/lxc {
    devices {
            devices.allow="c 10:200 rwm";
    }
}

should fix, but it doesn't (even after restarting the involved services -libvirtd, cgconfig- in every possible order)

Played around a bit with the cgroup.clone_children setting but it doesn't help.

My Questions are:

1 How to add this device as a default allow for every libvirt/lxc container?

2 What process is responsible for the default allowed list?

c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 5:2 rwm
c 136:* rwm

All packages are from an up-to-date Fedora 18 system.

Zabuzzman
  • 733
  • 10
  • 25

1 Answers1

2

libvirt_lxc populates the guest's /dev tree on startup according to the guest's configuration. The documentation says you have to put the configuration in the guest's XML configuration file. Use a hostdev with the "misc" type and with its source pointing to a char device at /dev/net/tun.

The snippet should look like this:

...
<devices>
    ...
    <hostdev mode='capabilities' type='misc'>
        <source>
            <char>/dev/net/tun</char>
        </source>
    </hostdev>
</devices>
...

To edit the guest's XML file use virsh. For a local instance use this command:

virsh -c lxc:/// edit GUESTNAME

I can confirm this working with libvirt-1.2.1.

Cristian Ciupitu
  • 6,226
  • 2
  • 41
  • 55
stefanjunker
  • 121
  • 3