[systemd-devel] Systemd-nspawn: Cannot create tun device in container
James Lott
james at lottspot.com
Thu Oct 9 23:53:36 PDT 2014
I am using a setup which retains the CAP_NET_ADMIN capability inside the
container and allows openvpn to setup the device. No persistent devices are
involved. Below, I have included a snippet from a shell session which shows
the command used to invoke nspawn and then the openvpn command executed within
the container which fails.
[root at host01 ~]# systemctl status lanvpn | grep -A1 CGroup
CGroup: /system.slice/lanvpn.service
`-2169 /usr/bin/systemd-nspawn --network-bridge=switch1 -bD
/home/lanvpn
[root at host01 ~]# ssh lanvpn
Last login: Thu Oct 9 15:01:42 2014 from host01.lottspot.vpn
[root at lanvpn ~]# openvpn --config /etc/openvpn/vpngate.conf | tail -n2
Thu Oct 9 23:40:45 2014 ERROR: Cannot open TUN/TAP dev /dev/net/tun:
Operation not permitted (errno=1)
Thu Oct 9 23:40:45 2014 Exiting due to fatal error
This same VPN configuration will successfully connect within the host
environment.
[root at lanvpn ~]# exit
logout
Connection to lanvpn closed.
[root at host01 ~]# curl icanhazip.com
23.243.158.241
[root at host01 ~]# openvpn --daemon --config
/home/lanvpn/etc/openvpn/vpngate.conf
[root at host01 ~]# curl icanhazip.com
111.255.23.34
On Friday 10 October 2014 08:12:02 you wrote:
> On Fri, Oct 10, 2014 at 12:13 AM, James Lott <james at lottspot.com> wrote:
> > Trying to start up an openvpn connection yields the following error:
> >
> > Thu Oct 9 15:01:52 2014 ERROR: Cannot open TUN/TAP dev /dev/net/tun:
> > Operation not permitted (errno=1)
> >
> > As requested by Lennart, attached you will find an strace of the openvpn
> > process as it attempts to setup the connection. Please let me know if
> > there's anything else I can provide to be helpful, and thanks again for
> > the help!
> Thanks. So to open /dev/net/tun you need either to have CAP_NET_ADMIN
> (which depends on how you start nspawn, e.g. passing --network-veth
> will give you this) or the tun device must be created persistently by
> someone else and openvpn must have the right uid/gid to take control
> of it.
>
> Which setup are you using? Could you send the commandline you used to
> invoke nspawn and the openvpn config file you are using? (And also the
> same for whatever method you are using to create the persistent tun
> netdev, if this is what you do).
>
> Cheers,
>
> Tom
--
James Lott
More information about the systemd-devel
mailing list