[systemd-devel] Systemd-nspawn: Cannot create tun device in container

James Lott james at lottspot.com
Thu Oct 9 23:53:36 PDT 2014 

I am using a setup which retains the CAP_NET_ADMIN capability inside the 
container and allows openvpn to setup the device. No persistent devices are 
involved. Below, I have included a snippet from a shell session which shows 
the command used to invoke nspawn and then the openvpn command executed within 
the container which fails. 

[root at host01 ~]# systemctl status lanvpn | grep -A1 CGroup
   CGroup: /system.slice/lanvpn.service
           `-2169 /usr/bin/systemd-nspawn --network-bridge=switch1 -bD 
/home/lanvpn
[root at host01 ~]# ssh lanvpn
Last login: Thu Oct  9 15:01:42 2014 from host01.lottspot.vpn
[root at lanvpn ~]# openvpn --config /etc/openvpn/vpngate.conf | tail -n2
Thu Oct  9 23:40:45 2014 ERROR: Cannot open TUN/TAP dev /dev/net/tun: 
Operation not permitted (errno=1)
Thu Oct  9 23:40:45 2014 Exiting due to fatal error

This same VPN configuration will successfully connect within the host 
environment.

[root at lanvpn ~]# exit
logout
Connection to lanvpn closed.
[root at host01 ~]# curl icanhazip.com
23.243.158.241
[root at host01 ~]# openvpn --daemon --config 
/home/lanvpn/etc/openvpn/vpngate.conf 
[root at host01 ~]# curl icanhazip.com
111.255.23.34

On Friday 10 October 2014 08:12:02 you wrote:
> On Fri, Oct 10, 2014 at 12:13 AM, James Lott <james at lottspot.com> wrote:
> > Trying to start up an openvpn connection yields the following error:
> > 
> > Thu Oct  9 15:01:52 2014 ERROR: Cannot open TUN/TAP dev /dev/net/tun:
> > Operation not permitted (errno=1)
> > 
> > As requested by Lennart, attached you will find an strace of the openvpn
> > process as it attempts to setup the connection. Please let me know if
> > there's anything else I can provide to be helpful, and thanks again for
> > the help!
> Thanks. So to open /dev/net/tun you need either to have CAP_NET_ADMIN
> (which depends on how you start nspawn, e.g. passing --network-veth
> will give you this) or the tun device must be created persistently by
> someone else and openvpn must have the right uid/gid to take control
> of it.
> 
> Which setup are you using? Could you send the commandline you used to
> invoke nspawn and the openvpn config file you are using? (And also the
> same for whatever method you are using to create the persistent tun
> netdev, if this is what you do).
> 
> Cheers,
> 
> Tom

-- 
James Lott

More information about the systemd-devel mailing list