Re: [systemd-devel] Systemd-nspawn: Cannot create tun device in container
Everything works great now, thanks for all of your help! On Oct 10, 2014, at 2:13 AM, Lennart Poettering lenn...@poettering.net wrote: On Thu, 09.10.14 23:53, James Lott (ja...@lottspot.com) wrote: I am using a setup which retains the CAP_NET_ADMIN capability inside the container and allows openvpn to setup the device. No persistent devices are involved. Below, I have included a snippet from a shell session which shows the command used to invoke nspawn and then the openvpn command executed within the container which fails. The devices cgroup controller is used by nspawn to ensure code running inside the container cannot freely create arbitrary device nodes and then open them. What was missing here is to actually update the policy for it to allow access to /dev/net/tun. I made that change now, please check with the git version for nspawn if everything works now. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Systemd-nspawn: Cannot create tun device in container
On Fri, Oct 10, 2014 at 12:13 AM, James Lott ja...@lottspot.com wrote: Trying to start up an openvpn connection yields the following error: Thu Oct 9 15:01:52 2014 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1) As requested by Lennart, attached you will find an strace of the openvpn process as it attempts to setup the connection. Please let me know if there's anything else I can provide to be helpful, and thanks again for the help! Thanks. So to open /dev/net/tun you need either to have CAP_NET_ADMIN (which depends on how you start nspawn, e.g. passing --network-veth will give you this) or the tun device must be created persistently by someone else and openvpn must have the right uid/gid to take control of it. Which setup are you using? Could you send the commandline you used to invoke nspawn and the openvpn config file you are using? (And also the same for whatever method you are using to create the persistent tun netdev, if this is what you do). Cheers, Tom ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Systemd-nspawn: Cannot create tun device in container
I am using a setup which retains the CAP_NET_ADMIN capability inside the container and allows openvpn to setup the device. No persistent devices are involved. Below, I have included a snippet from a shell session which shows the command used to invoke nspawn and then the openvpn command executed within the container which fails. [root@host01 ~]# systemctl status lanvpn | grep -A1 CGroup CGroup: /system.slice/lanvpn.service `-2169 /usr/bin/systemd-nspawn --network-bridge=switch1 -bD /home/lanvpn [root@host01 ~]# ssh lanvpn Last login: Thu Oct 9 15:01:42 2014 from host01.lottspot.vpn [root@lanvpn ~]# openvpn --config /etc/openvpn/vpngate.conf | tail -n2 Thu Oct 9 23:40:45 2014 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1) Thu Oct 9 23:40:45 2014 Exiting due to fatal error This same VPN configuration will successfully connect within the host environment. [root@lanvpn ~]# exit logout Connection to lanvpn closed. [root@host01 ~]# curl icanhazip.com 23.243.158.241 [root@host01 ~]# openvpn --daemon --config /home/lanvpn/etc/openvpn/vpngate.conf [root@host01 ~]# curl icanhazip.com 111.255.23.34 On Friday 10 October 2014 08:12:02 you wrote: On Fri, Oct 10, 2014 at 12:13 AM, James Lott ja...@lottspot.com wrote: Trying to start up an openvpn connection yields the following error: Thu Oct 9 15:01:52 2014 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1) As requested by Lennart, attached you will find an strace of the openvpn process as it attempts to setup the connection. Please let me know if there's anything else I can provide to be helpful, and thanks again for the help! Thanks. So to open /dev/net/tun you need either to have CAP_NET_ADMIN (which depends on how you start nspawn, e.g. passing --network-veth will give you this) or the tun device must be created persistently by someone else and openvpn must have the right uid/gid to take control of it. Which setup are you using? Could you send the commandline you used to invoke nspawn and the openvpn config file you are using? (And also the same for whatever method you are using to create the persistent tun netdev, if this is what you do). Cheers, Tom -- James Lott ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Systemd-nspawn: Cannot create tun device in container
On Fri, 03.10.14 10:46, James Lott (ja...@lottspot.com) wrote: Hello, list! In some work I've been doing with systemd-nspawn containers, I've been trying to connect one of my containers to an openvpn network. This conteiner is being run with the --network-bridge flag to setup its networking, so according to the documentation, should retain CAP_NET_ADMIN capabilities. However, the container appears to be unable to create a new tun device [root@lanvpn ~]# ip tuntap add dev tun0 mode tun open: No such file or directory Can you check with strace what precisely fails here? Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Systemd-nspawn: Cannot create tun device in container
On Fri, Oct 3, 2014 at 7:46 PM, James Lott ja...@lottspot.com wrote: Hello, list! In some work I've been doing with systemd-nspawn containers, I've been trying to connect one of my containers to an openvpn network. This conteiner is being run with the --network-bridge flag to setup its networking, so according to the documentation, should retain CAP_NET_ADMIN capabilities. However, the container appears to be unable to create a new tun device Hi James, Thanks for the report, and sorry for the late reply. I just pushed a fix to git which creates /dev/net/tun in the container (if it exists on the host) and it appears to work for me. Please let me know whether this solves your problem. Cheers, Tom [root@lanvpn ~]# ip tuntap add dev tun0 mode tun open: No such file or directory I tried retaining the CAP_MKNOD capability for this container using the -- capability flag as well, and this met with the same result. I also tried binding the /dev/net device directory from the parent to the /dev/net device directory of the child container, and added the following line to the systemd-nspawn service file of the container [root@host01 ~]# grep Device /etc/systemd/system/lanvpn.service DeviceAllow=/dev/net/tun rwm This resulted in the error [root@lanvpn ~]# ip tuntap add tun0 mode tun open: Operation not permitted Is there any way to run my containers which will allow them to create tun/tap devices? System is arch linux arm, running systemd 216-r3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] Systemd-nspawn: Cannot create tun device in container
Does anyone have any feedback on this thread? If it's not possible for a container to create its own /dev/net/tun device (or use the host system's), I'll just move on to finding a less preferable solution. On Oct 3, 2014, at 10:46 AM, James Lott ja...@lottspot.com wrote: Hello, list! In some work I've been doing with systemd-nspawn containers, I've been trying to connect one of my containers to an openvpn network. This conteiner is being run with the --network-bridge flag to setup its networking, so according to the documentation, should retain CAP_NET_ADMIN capabilities. However, the container appears to be unable to create a new tun device [root@lanvpn ~]# ip tuntap add dev tun0 mode tun open: No such file or directory I tried retaining the CAP_MKNOD capability for this container using the -- capability flag as well, and this met with the same result. I also tried binding the /dev/net device directory from the parent to the /dev/net device directory of the child container, and added the following line to the systemd-nspawn service file of the container [root@host01 ~]# grep Device /etc/systemd/system/lanvpn.service DeviceAllow=/dev/net/tun rwm This resulted in the error [root@lanvpn ~]# ip tuntap add tun0 mode tun open: Operation not permitted Is there any way to run my containers which will allow them to create tun/tap devices? System is arch linux arm, running systemd 216-r3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Systemd-nspawn: Cannot create tun device in container
Hello, list! In some work I've been doing with systemd-nspawn containers, I've been trying to connect one of my containers to an openvpn network. This conteiner is being run with the --network-bridge flag to setup its networking, so according to the documentation, should retain CAP_NET_ADMIN capabilities. However, the container appears to be unable to create a new tun device [root@lanvpn ~]# ip tuntap add dev tun0 mode tun open: No such file or directory I tried retaining the CAP_MKNOD capability for this container using the -- capability flag as well, and this met with the same result. I also tried binding the /dev/net device directory from the parent to the /dev/net device directory of the child container, and added the following line to the systemd-nspawn service file of the container [root@host01 ~]# grep Device /etc/systemd/system/lanvpn.service DeviceAllow=/dev/net/tun rwm This resulted in the error [root@lanvpn ~]# ip tuntap add tun0 mode tun open: Operation not permitted Is there any way to run my containers which will allow them to create tun/tap devices? System is arch linux arm, running systemd 216-r3 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel