[systemd-devel] Systemd-nspawn: Cannot create tun device in container
James Lott
james at lottspot.com
Tue Oct 7 16:41:33 PDT 2014
Does anyone have any feedback on this thread? If it's not possible for a container to create its own /dev/net/tun device (or use the host system's), I'll just move on to finding a less preferable solution.
> On Oct 3, 2014, at 10:46 AM, James Lott <james at lottspot.com> wrote:
>
> Hello, list!
>
> In some work I've been doing with systemd-nspawn containers, I've been trying
> to connect one of my containers to an openvpn network. This conteiner is being
> run with the --network-bridge flag to setup its networking, so according to the
> documentation, should retain CAP_NET_ADMIN capabilities. However, the
> container appears to be unable to create a new tun device
>
> [root at lanvpn ~]# ip tuntap add dev tun0 mode tun
> open: No such file or directory
>
> I tried retaining the CAP_MKNOD capability for this container using the --
> capability flag as well, and this met with the same result.
>
> I also tried binding the /dev/net device directory from the parent to the
> /dev/net device directory of the child container, and added the following line
> to the systemd-nspawn service file of the container
>
> [root at host01 ~]# grep Device /etc/systemd/system/lanvpn.service
> DeviceAllow=/dev/net/tun rwm
>
> This resulted in the error
>
> [root at lanvpn ~]# ip tuntap add tun0 mode tun
> open: Operation not permitted
>
> Is there any way to run my containers which will allow them to create tun/tap
> devices? System is arch linux arm, running systemd 216-r3
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
More information about the systemd-devel
mailing list