Ubuntu
runc package

  1. Bug #2013318
  2. Comment #13

Comment 13 for bug 2013318

Revision history for this message
Lena Voytek (lvoytek) wrote :

Thanks for the verification Miroslav! Confirmed for Kinetic and Focal too:

# lxc launch ubuntu:22.10 test-runc -c security.nesting=true -c security.privileged=true
# lxc exec test-runc bash

# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# apt update && apt dist-upgrade -y
# apt install docker.io -y

# docker run -d alpine sleep 1000
366f3646453068167c160e601317ea92e010bf5862bdd91f7637d510de9175ce

# systemctl cat docker-366f3646453068167c160e601317ea92e010bf5862bdd91f7637d510de9175ce.scope | grep DeviceAllow
DeviceAllow=
DeviceAllow=char-pts rwm
DeviceAllow=/dev/char/10:200 rwm
DeviceAllow=/dev/char/5:2 rwm
DeviceAllow=/dev/char/5:1 rwm
DeviceAllow=/dev/char/5:0 rwm
DeviceAllow=/dev/char/1:9 rwm
DeviceAllow=/dev/char/1:8 rwm
DeviceAllow=/dev/char/1:7 rwm
DeviceAllow=/dev/char/1:5 rwm
DeviceAllow=/dev/char/1:3 rwm
DeviceAllow=char-* m
DeviceAllow=block-* m

# docker exec -ti 366f3646453068167 cat /dev/null
> No output

# lxc launch ubuntu:20.04 test-runc -c security.nesting=true -c security.privileged=true
# lxc exec test-runc bash

# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list
# Enable Ubuntu proposed archive
deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
EOF

# apt update && apt dist-upgrade -y
# apt install docker.io -y

# docker run -d alpine sleep 1000
72cdf46506813662f5da5cba33d26f921f99c09eb3b6f70e5da0945a2943eb9f

# systemctl cat docker-72cdf46506813662f5da5cba33d26f921f99c09eb3b6f70e5da0945a2943eb9f.scope | grep DeviceAllow
DeviceAllow=
DeviceAllow=char-pts rwm
DeviceAllow=/dev/char/10:200 rwm
DeviceAllow=/dev/char/5:2 rwm
DeviceAllow=/dev/char/5:1 rwm
DeviceAllow=/dev/char/5:0 rwm
DeviceAllow=/dev/char/1:9 rwm
DeviceAllow=/dev/char/1:8 rwm
DeviceAllow=/dev/char/1:7 rwm
DeviceAllow=/dev/char/1:5 rwm
DeviceAllow=/dev/char/1:3 rwm
DeviceAllow=char-* m
DeviceAllow=block-* m

# docker exec -ti 72cdf46506813662 cat /dev/null
> No output