Hello, list! In some work I've been doing with systemd-nspawn containers, I've been trying to connect one of my containers to an openvpn network. This conteiner is being run with the --network-bridge flag to setup its networking, so according to the documentation, should retain CAP_NET_ADMIN capabilities. However, the container appears to be unable to create a new tun device
[root@lanvpn ~]# ip tuntap add dev tun0 mode tun open: No such file or directory I tried retaining the CAP_MKNOD capability for this container using the -- capability flag as well, and this met with the same result. I also tried binding the /dev/net device directory from the parent to the /dev/net device directory of the child container, and added the following line to the systemd-nspawn service file of the container [root@host01 ~]# grep Device /etc/systemd/system/lanvpn.service DeviceAllow=/dev/net/tun rwm This resulted in the error [root@lanvpn ~]# ip tuntap add tun0 mode tun open: Operation not permitted Is there any way to run my containers which will allow them to create tun/tap devices? System is arch linux arm, running systemd 216-r3 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
