On Fri, Oct 3, 2014 at 7:46 PM, James Lott <ja...@lottspot.com> wrote: > Hello, list! > > In some work I've been doing with systemd-nspawn containers, I've been trying > to connect one of my containers to an openvpn network. This conteiner is being > run with the --network-bridge flag to setup its networking, so according to > the > documentation, should retain CAP_NET_ADMIN capabilities. However, the > container appears to be unable to create a new tun device
Hi James, Thanks for the report, and sorry for the late reply. I just pushed a fix to git which creates /dev/net/tun in the container (if it exists on the host) and it appears to work for me. Please let me know whether this solves your problem. Cheers, Tom > [root@lanvpn ~]# ip tuntap add dev tun0 mode tun > open: No such file or directory > > I tried retaining the CAP_MKNOD capability for this container using the -- > capability flag as well, and this met with the same result. > > I also tried binding the /dev/net device directory from the parent to the > /dev/net device directory of the child container, and added the following line > to the systemd-nspawn service file of the container > > [root@host01 ~]# grep Device /etc/systemd/system/lanvpn.service > DeviceAllow=/dev/net/tun rwm > > This resulted in the error > > [root@lanvpn ~]# ip tuntap add tun0 mode tun > open: Operation not permitted > > Is there any way to run my containers which will allow them to create tun/tap > devices? System is arch linux arm, running systemd 216-r3 > _______________________________________________ > systemd-devel mailing list > systemd-devel@lists.freedesktop.org > http://lists.freedesktop.org/mailman/listinfo/systemd-devel _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel