[systemd-devel] Systemd-nspawn: Cannot create tun device in container
James Lott
james at lottspot.com
Sat Oct 11 15:15:22 PDT 2014
Everything works great now, thanks for all of your help!
> On Oct 10, 2014, at 2:13 AM, Lennart Poettering <lennart at poettering.net> wrote:
>
>> On Thu, 09.10.14 23:53, James Lott (james at lottspot.com) wrote:
>>
>> I am using a setup which retains the CAP_NET_ADMIN capability inside the
>> container and allows openvpn to setup the device. No persistent devices are
>> involved. Below, I have included a snippet from a shell session which shows
>> the command used to invoke nspawn and then the openvpn command executed within
>> the container which fails.
>
> The "devices" cgroup controller is used by nspawn to ensure code
> running inside the container cannot freely create arbitrary device
> nodes and then open them. What was missing here is to actually update
> the policy for it to allow access to /dev/net/tun. I made that change
> now, please check with the git version for nspawn if everything works
> now.
>
> Lennart
>
> --
> Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list