1479243 – How to use udev rules to management /dev/xxx when running in container?

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1479243 - How to use udev rules to management /dev/xxx when running in container?

Summary: How to use udev rules to management /dev/xxx when running in container?

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	systemd
Sub Component:
Version:	7.2
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	systemd-maint
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-08 07:45 UTC by muahao
Modified:	2017-08-08 14:18 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-08 14:18:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description muahao 2017-08-08 07:45:23 UTC

Description of problem:

Firstly I want say , I am not really want to modify /dev/random 's access in product , This is just a test to verify when systemd running in moby  , udev 's rules in /etc/udev/rules.d/xxxx 's behavior

Question1:  why only when use --priviledged container, container's udev management rules in /etc/udev/rules.d/xxx  is valid ?

what authority systemd need if systemd need to use udev to manage /dev/xxx by /etc/udev/rules.d/xxx ? 

Question2:  when I start a container  use --priviledged, why container restart will modify phycalhost's /dev/xxx access and use physicalhost's  /etc/udev/rules.d/xxx  rules? I think this is not reasonable 




### Used distribution
redhat 7.2 

### In case of bug report: Steps to reproduce the problem
## start a containerA with no --priviledged


    [root@physicalhost /home/ahao.mah]
    #docker run -d --net host reg.docker.xxxxx.com/mybase/centos7u2:latest
    36cc8f6759294b2b2900b313c4f978737b11671b7ab2cc185e69fba3f6a9d10c
    
    [root@containerA /home/ahao.mah]
    #docker exec -it 36cc8f6759294b2b2900b313c4f978737b11671b7ab2cc185e69fba3f6a9d10c bash


modify udev rules  in containerA :


    [root@containerA /]
    #cat  /etc/udev/rules.d/70-test_random.rules
    KERNEL=="random",  GROUP="root", MODE="0665", OPTIONS="last_rule"


restart this containerA:


    [root@physicalhost /home/ahao.mah]
    #docker restart 36cc8f675929
    36cc8f675929

containerA's  /dev/random still 0666 ,but not 0665


    [root@containerA /]
    #ll /dev/random
    crw-rw-rw- 1 root root 1, 8 Aug  8 11:34 /dev/random

At this moment I do not know  why /etc/udev/rules.d/xxx rules is invalid in a no --priviledges container?

## start a containerB with --priviledge


    [root@physicalhost /home/ahao.mah]
    #docker run -d --net host --privileged reg.docker.xxxxx.com/mybase/centos7u2:latest
    
    [root@containerB /home/ahao.mah]
    #docker exec -it 1853437e8d2ea7018475b2328a10f1625da8b0c667941d69d912598325dc830d bash



Now containerB's /dev/random default access  is also 0666,but I want to modify containerB's /dev/random access to 0660, then I need to use udev rules in /etc/udev/rules.d/xxx


    [root@containerB /]
    #ll /dev/random
    crw-rw-rw- 1 root root 1, 8 Aug  8 11:40 /dev/random
    
    [root@containerB /]
    #vim /etc/udev/rules.d/70-test_random.rules
    KERNEL=="random",  GROUP="root", MODE="0660", OPTIONS="last_rule"


Now physicalhost's /dev/random default access  is also 0666,but I modify physical's /dev/random access to 0777


    [root@physicalhost /]
    #cat /etc/udev/rules.d/70-test_random.rules
    #KERNEL=="random",  GROUP="root", MODE="0777", OPTIONS="last_rule"
    
    [root@physicalhost /]
    #ll /dev/random
    #crw-rw-rw- 1 root root 1, 8 Aug  8 11:40 /dev/random



restart containerB:


    [root@physicalhost /home/ahao.mah]
    #docker restart 1853437e8d2e
    1853437e8d2e


both containerB's /dev/random and physicalhost's /dev/access is changed!


    [root@containerB /]
    #ll /dev/random
    crw-rw---- 1 root root 1, 8 Aug  8 11:41 /dev/random
    
    [root@physicalhost /home/ahao.mah]
    #ll /dev/random
    crwxrwxrwx 1 root root 1, 8 Aug  8 11:43 /dev/random


My views:

1. I think this relate to systemd running in docker  priv
2. when running with --priviledges , systemd running in docker should not modify physicalhost's /dev/xxx access by /etc/udev/rules.d/xxx
3. when running with no --priviledges , systemd running in docker should can  modify container's /dev/xxx access by /etc/udev/rules.d/xxx

Comment 2 Jan Synacek 2017-08-08 14:18:56 UTC

First, bugzilla is not a support tool. This report is not a valid bug report. You should contact Red Hat support with questions.

Second, I really tried to understand the question, though, but I don't think I understand it correctly, so my answer might be a bit off. Using udev rules inside containers doesn't make much sense. Udev reacts to the changes in real/virtualized hardware (the host system) while containers run as "namespaced guests". You could possibly forward the hardware changes into the container somehow, but that would be really weird.

Note You need to log in before you can comment on or make changes to this bug.