How can I passthrough /dev/mem into lxc

[vfiuchcikicshuusrch]

I need to have real /dev/mem in my privileged lxc, how can I do this ?

try add this into ct.conf
lxc.cgroup.devices.allow: c 1:1

and in ct run
mknod /dev/mem c 1 1

but this not working..

 

[Ramalama]

You need first to make one
dd if=/dev/urandom of=/dev/mem bs=1024 count=1000000
After that everything will work as you want xD

 

[vfiuchcikicshuusrch]

You need first to make one
dd if=/dev/urandom of=/dev/mem bs=1024 count=1000000
After that everything will work as you want xD

yeah great, but this is crap!

 

[Ramalama]

You can't passthrough memory in short. Not even a region. But you can increase memory for the lxc Container.

 

[vfiuchcikicshuusrch]

I need to passthrough /dev/mem into lxc ct.

 

[Tapio Lehtonen]

I need to passthrough /dev/mem into lxc ct.

My understanding is you can not use LXC Container if that is the case. It just is not possible with a container.

 

[t.lamprecht]

Can you please post the full container configuration you used?

This is most likely only a privilege issue, you need a privileged CT and lxc.apparmor.profile = unconfined (obv. don't do that if you do not trust the user(s) and software controlling that CT) - there may be a less "allowing" profile, but for a sure bet unconfined should work.

 

[t.lamprecht]

You can't passthrough memory in short. Not even a region. But you can increase memory for the lxc Container.

FYI, /dev/mem is a character device exposing physical memory access (in contrast to virtual mapped memory), this request is not like a "download more RAM" one ;-)
https://man7.org/linux/man-pages/man4/mem.4.html

 

[vfiuchcikicshuusrch]

Can you please post the full container configuration you used?

I'm use priveleged ct.

arch: amd64
cores: 2
features: fuse=1,mknod=1,nesting=1
hostname: host
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=52:C3:CE:EF:A1:B6,ip=dhcp,type=veth
ostype: ubuntu
rootfs: local-zfs:subvol-100-disk-1,size=8G
swap: 512
lxc.cgroup.devices.allow: c 1:* rwm
lxc.mount.entry: /dev/mem dev/mem  none bind,optional,create=file 0 0
lxc.apparmor.profile = unconfined

nothing work.
cat /dev/mem - Operation not permitted

 

[wbumiller]

beside the devices cgroup, apparmor and possible `nodev` mount flags this also needs `CAP_SYS_RAWIO` which is dropped by default for containers, you can add an empty `lxc.cap.drop` line to the config to clear the dropped capability list then add a 2nd such line with the default entries you find in `/usr/share/lxc/config/common.conf` without the rawio entry. but note that this enables a wider range of capabilities (which you'll find in under CAP_SYS_RAWIO in the capabilities(7) manpage).
But there will be dragons.