On Thu, 09.10.14 23:53, James Lott (ja...@lottspot.com) wrote: > I am using a setup which retains the CAP_NET_ADMIN capability inside the > container and allows openvpn to setup the device. No persistent devices are > involved. Below, I have included a snippet from a shell session which shows > the command used to invoke nspawn and then the openvpn command executed > within > the container which fails.
The "devices" cgroup controller is used by nspawn to ensure code running inside the container cannot freely create arbitrary device nodes and then open them. What was missing here is to actually update the policy for it to allow access to /dev/net/tun. I made that change now, please check with the git version for nspawn if everything works now. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
