[systemd-devel] Systemd-nspawn: Cannot create tun device in container
Lennart Poettering
lennart at poettering.net
Fri Oct 10 02:13:39 PDT 2014
On Thu, 09.10.14 23:53, James Lott (james at lottspot.com) wrote:
> I am using a setup which retains the CAP_NET_ADMIN capability inside the
> container and allows openvpn to setup the device. No persistent devices are
> involved. Below, I have included a snippet from a shell session which shows
> the command used to invoke nspawn and then the openvpn command executed within
> the container which fails.
The "devices" cgroup controller is used by nspawn to ensure code
running inside the container cannot freely create arbitrary device
nodes and then open them. What was missing here is to actually update
the policy for it to allow access to /dev/net/tun. I made that change
now, please check with the git version for nspawn if everything works
now.
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list