Thanks for the verification Miroslav! Confirmed for Kinetic and Focal too:
# lxc launch ubuntu:22.10 test-runc -c security.nesting=true -c security.privileged=true # lxc exec test-runc bash
# cat <<EOF >/etc/apt/sources.list.d/ubuntu-$(lsb_release -cs)-proposed.list # Enable Ubuntu proposed archive deb http://archive.ubuntu.com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe EOF
# apt update && apt dist-upgrade -y # apt install docker.io -y
# docker run -d alpine sleep 1000 366f3646453068167c160e601317ea92e010bf5862bdd91f7637d510de9175ce
# systemctl cat docker-366f3646453068167c160e601317ea92e010bf5862bdd91f7637d510de9175ce.scope | grep DeviceAllow DeviceAllow= DeviceAllow=char-pts rwm DeviceAllow=/dev/char/10:200 rwm DeviceAllow=/dev/char/5:2 rwm DeviceAllow=/dev/char/5:1 rwm DeviceAllow=/dev/char/5:0 rwm DeviceAllow=/dev/char/1:9 rwm DeviceAllow=/dev/char/1:8 rwm DeviceAllow=/dev/char/1:7 rwm DeviceAllow=/dev/char/1:5 rwm DeviceAllow=/dev/char/1:3 rwm DeviceAllow=char-* m DeviceAllow=block-* m
# docker exec -ti 366f3646453068167 cat /dev/null > No output
# lxc launch ubuntu:20.04 test-runc -c security.nesting=true -c security.privileged=true # lxc exec test-runc bash
# docker run -d alpine sleep 1000 72cdf46506813662f5da5cba33d26f921f99c09eb3b6f70e5da0945a2943eb9f
# systemctl cat docker-72cdf46506813662f5da5cba33d26f921f99c09eb3b6f70e5da0945a2943eb9f.scope | grep DeviceAllow DeviceAllow= DeviceAllow=char-pts rwm DeviceAllow=/dev/char/10:200 rwm DeviceAllow=/dev/char/5:2 rwm DeviceAllow=/dev/char/5:1 rwm DeviceAllow=/dev/char/5:0 rwm DeviceAllow=/dev/char/1:9 rwm DeviceAllow=/dev/char/1:8 rwm DeviceAllow=/dev/char/1:7 rwm DeviceAllow=/dev/char/1:5 rwm DeviceAllow=/dev/char/1:3 rwm DeviceAllow=char-* m DeviceAllow=block-* m
# docker exec -ti 72cdf46506813662 cat /dev/null > No output
Thanks for the verification Miroslav! Confirmed for Kinetic and Focal too:
# lxc launch ubuntu:22.10 test-runc -c security. nesting= true -c security. privileged= true
# lxc exec test-runc bash
# cat <<EOF >/etc/apt/ sources. list.d/ ubuntu- $(lsb_release -cs)-proposed.list archive. ubuntu. com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
# Enable Ubuntu proposed archive
deb http://
EOF
# apt update && apt dist-upgrade -y
# apt install docker.io -y
# docker run -d alpine sleep 1000 67c160e601317ea 92e010bf5862bdd 91f7637d510de91 75ce
366f36464530681
# systemctl cat docker- 366f36464530681 67c160e601317ea 92e010bf5862bdd 91f7637d510de91 75ce.scope | grep DeviceAllow char-pts rwm /dev/char/ 10:200 rwm /dev/char/ 5:2 rwm /dev/char/ 5:1 rwm /dev/char/ 5:0 rwm /dev/char/ 1:9 rwm /dev/char/ 1:8 rwm /dev/char/ 1:7 rwm /dev/char/ 1:5 rwm /dev/char/ 1:3 rwm
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=char-* m
DeviceAllow=block-* m
# docker exec -ti 366f3646453068167 cat /dev/null
> No output
# lxc launch ubuntu:20.04 test-runc -c security. nesting= true -c security. privileged= true
# lxc exec test-runc bash
# cat <<EOF >/etc/apt/ sources. list.d/ ubuntu- $(lsb_release -cs)-proposed.list archive. ubuntu. com/ubuntu/ $(lsb_release -cs)-proposed restricted main multiverse universe
# Enable Ubuntu proposed archive
deb http://
EOF
# apt update && apt dist-upgrade -y
# apt install docker.io -y
# docker run -d alpine sleep 1000 2f5da5cba33d26f 921f99c09eb3b6f 70e5da0945a2943 eb9f
72cdf4650681366
# systemctl cat docker- 72cdf4650681366 2f5da5cba33d26f 921f99c09eb3b6f 70e5da0945a2943 eb9f.scope | grep DeviceAllow char-pts rwm /dev/char/ 10:200 rwm /dev/char/ 5:2 rwm /dev/char/ 5:1 rwm /dev/char/ 5:0 rwm /dev/char/ 1:9 rwm /dev/char/ 1:8 rwm /dev/char/ 1:7 rwm /dev/char/ 1:5 rwm /dev/char/ 1:3 rwm
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=
DeviceAllow=char-* m
DeviceAllow=block-* m
# docker exec -ti 72cdf46506813662 cat /dev/null
> No output