[libvirt] How to use /dev/net/tun from libvirt-lxc with user namespacing enabled
Thiago Padilha
tpadilha84 at gmail.com
Mon Jan 29 21:58:16 UTC 2018
Just noticed this list is for development-related discussions, sorry for
sending support question. Will resend to libvirt-users.
On Mon, Jan 29, 2018 at 5:08 PM, Thiago Padilha <tpadilha84 at gmail.com>
wrote:
> I have a container rootfs that I use to keep all work-related stuff. This
> container was originally created by lxd (which creates all containers for
> use with user namespacing), but now I decided to start using libvirt for
> container management since I already use it for virtual machines, which
> will spare me from dealing with multiple hypervisor technologies.
>
> I managed to create a working domain xml for the container, and everything
> seems to be working very well except one thing: I cannot start openconnect
> (VPN software) inside the container. I noticed that by default libvirt
> won't create /dev/net/tun for the container, so I added this to the domain
> xml:
>
> <filesystem type='mount'>
> <source dir='/dev/net'/>
> <target dir='/dev/net'/>
> </filesystem>
>
> This successfully created /dev/net/tun in the container, but openconnect
> still can't open it even though it has 666 permissions. It seems this is
> exactly what lxd does to allow VPNs for their unprivileged containers, as
> shown by the output of ls -l /dev/net
>
> total 0
> crw-rw-rw- 1 nobody nogroup 10, 200 Jan 29 13:23 tun
>
> The same container can also be successfully booted with systemd-nspawn,
> also allowing openconnect to create its VPN.
>
> I already tried setting security driver to "none" in
> /etc/libvirt/lxc.conf, but it had no effect. I get "Operation not
> permitted" when trying to open /dev/net/tun, which is also the message
> openconnect displays in its logs.
>
> Can someone guide me on how I might debug what is causing this error? BTW,
> here's the full xml:
>
> <domain type='lxc'>
> <name>work-stuff</name>
> <uuid>ffee008c-ec6b-48ab-af6d-4aba830847a1</uuid>
> <memory unit='KiB'>8388608</memory>
> <currentMemory unit='KiB'>8388608</currentMemory>
> <vcpu placement='static'>16</vcpu>
> <resource>
> <partition>/machine</partition>
> </resource>
> <os>
> <type arch='x86_64'>exe</type>
> <init>/sbin/init</init>
> </os>
> <idmap>
> <uid start='0' target='165536' count='65536'/>
> <gid start='0' target='165536' count='65536'/>
> </idmap>
> <cpu mode='host-model'>
> <model fallback='allow'/>
> </cpu>
> <clock offset='utc'/>
> <on_poweroff>destroy</on_poweroff>
> <on_reboot>restart</on_reboot>
> <on_crash>restart</on_crash>
> <devices>
> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
> <filesystem type='mount' accessmode='passthrough'>
> <source dir='/var/lib/libvirt/containers/work-stuff/rootfs'/>
> <target dir='/'/>
> </filesystem>
> <filesystem type='mount'>
> <source dir='/dev/net'/>
> <target dir='/dev/net'/>
> </filesystem>
> <interface type='network'>
> <mac address='52:54:00:3e:59:e9'/>
> <source network='default'/>
> </interface>
> <console type='pty'>
> <target type='lxc' port='0'/>
> </console>
> </devices>
> </domain>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180129/0ad5db9f/attachment-0001.htm>
More information about the libvir-list
mailing list