Fix LXC container console device setup

The /dev/console device inside the container must NOT map
to the real /dev/console device node, since this allows the
container control over the current host console. A fun side
effect of this is that starting a container containing a
real Fedora OS will kill off your X server.

Remove the /dev/console node, and replace it with a symlink
to the primary console TTY

* src/lxc/lxc_container.c: Replace /dev/console with a
  symlink to /dev/pty/0
* src/lxc/lxc_controller.c: Remove /dev/console from cgroups
  ACL

diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
index 0e06a2dcd095d50d81d31284c9aaa2ce5c4773de..7013667de35c605993e2031d5136d8afb205769c 100644 (file)
--- a/src/lxc/lxc_container.c
+++ b/src/lxc/lxc_container.c
@@ -466,7 +466,6 @@ static int lxcContainerPopulateDevices(void)
         { LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_NULL, 0666, "/dev/null" },
         { LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_ZERO, 0666, "/dev/zero" },
         { LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_FULL, 0666, "/dev/full" },
-        { LXC_DEV_MAJ_TTY, LXC_DEV_MIN_CONSOLE, 0600, "/dev/console" },
         { LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_RANDOM, 0666, "/dev/random" },
         { LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_URANDOM, 0666, "/dev/urandom" },
     };
@@ -508,6 +507,11 @@ static int lxcContainerPopulateDevices(void)
                              _("Failed to symlink /dev/pts/0 to /dev/tty1"));
         return -1;
     }
+    if (symlink("/dev/pts/0", "/dev/console") < 0) {
+        virReportSystemError(errno, "%s",
+                             _("Failed to symlink /dev/pts/0 to /dev/console"));
+        return -1;
+    }
 
     return 0;
 }

diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
index eb0148e4b7d773a8e98f68b2d6b028abb159dd09..478f0d1ff5510bd8b9a9112938d54d3f3fef7aed 100644 (file)
--- a/src/lxc/lxc_controller.c
+++ b/src/lxc/lxc_controller.c
@@ -80,7 +80,6 @@ static int lxcSetContainerResources(virDomainDefPtr def)
         {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_RANDOM},
         {'c', LXC_DEV_MAJ_MEMORY, LXC_DEV_MIN_URANDOM},
         {'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_TTY},
-        {'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_CONSOLE},
         {'c', LXC_DEV_MAJ_TTY, LXC_DEV_MIN_PTMX},
         {0,   0, 0}};