[systemd-devel] Systemd-nspawn: Cannot create tun device in container
James Lott
james at lottspot.com
Fri Oct 3 10:46:03 PDT 2014
Hello, list!
In some work I've been doing with systemd-nspawn containers, I've been trying
to connect one of my containers to an openvpn network. This conteiner is being
run with the --network-bridge flag to setup its networking, so according to the
documentation, should retain CAP_NET_ADMIN capabilities. However, the
container appears to be unable to create a new tun device
[root at lanvpn ~]# ip tuntap add dev tun0 mode tun
open: No such file or directory
I tried retaining the CAP_MKNOD capability for this container using the --
capability flag as well, and this met with the same result.
I also tried binding the /dev/net device directory from the parent to the
/dev/net device directory of the child container, and added the following line
to the systemd-nspawn service file of the container
[root at host01 ~]# grep Device /etc/systemd/system/lanvpn.service
DeviceAllow=/dev/net/tun rwm
This resulted in the error
[root at lanvpn ~]# ip tuntap add tun0 mode tun
open: Operation not permitted
Is there any way to run my containers which will allow them to create tun/tap
devices? System is arch linux arm, running systemd 216-r3
More information about the systemd-devel
mailing list