[libvirt] How to use /dev/net/tun from libvirt-lxc with user namespacing enabled

Thiago Padilha tpadilha84 at gmail.com
Mon Jan 29 21:58:16 UTC 2018 

Just noticed this list is for development-related discussions, sorry for
sending support question. Will resend to libvirt-users.

On Mon, Jan 29, 2018 at 5:08 PM, Thiago Padilha <tpadilha84 at gmail.com>
wrote:

> I have a container rootfs that I use to keep all work-related stuff. This
> container was originally created by lxd (which creates all containers for
> use with user namespacing), but now I decided to start using libvirt for
> container management since I already use it for virtual machines, which
> will spare me from dealing with multiple hypervisor technologies.
>
> I managed to create a working domain xml for the container, and everything
> seems to be working very well except one thing: I cannot start openconnect
> (VPN software) inside the container.  I noticed that by default libvirt
> won't create /dev/net/tun for the container, so I added this to the domain
> xml:
>
>     <filesystem type='mount'>
>       <source dir='/dev/net'/>
>       <target dir='/dev/net'/>
>     </filesystem>
>
> This successfully created /dev/net/tun in the container, but openconnect
> still can't open it even though it has 666 permissions. It seems this is
> exactly what lxd does to allow VPNs for their unprivileged containers, as
> shown by the output of ls -l /dev/net
>
> total 0
> crw-rw-rw- 1 nobody nogroup 10, 200 Jan 29 13:23 tun
>
> The same container can also be successfully booted with systemd-nspawn,
> also allowing openconnect to create its VPN.
>
> I already tried setting security driver to "none" in
> /etc/libvirt/lxc.conf, but it had no effect. I get "Operation not
> permitted" when trying to open /dev/net/tun, which is also the message
> openconnect displays in its logs.
>
> Can someone guide me on how I might debug what is causing this error? BTW,
> here's the full xml:
>
> <domain type='lxc'>
>   <name>work-stuff</name>
>   <uuid>ffee008c-ec6b-48ab-af6d-4aba830847a1</uuid>
>   <memory unit='KiB'>8388608</memory>
>   <currentMemory unit='KiB'>8388608</currentMemory>
>   <vcpu placement='static'>16</vcpu>
>   <resource>
>     <partition>/machine</partition>
>   </resource>
>   <os>
>     <type arch='x86_64'>exe</type>
>     <init>/sbin/init</init>
>   </os>
>   <idmap>
>     <uid start='0' target='165536' count='65536'/>
>     <gid start='0' target='165536' count='65536'/>
>   </idmap>
>   <cpu mode='host-model'>
>     <model fallback='allow'/>
>   </cpu>
>   <clock offset='utc'/>
>   <on_poweroff>destroy</on_poweroff>
>   <on_reboot>restart</on_reboot>
>   <on_crash>restart</on_crash>
>   <devices>
>     <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
>     <filesystem type='mount' accessmode='passthrough'>
>       <source dir='/var/lib/libvirt/containers/work-stuff/rootfs'/>
>       <target dir='/'/>
>     </filesystem>
>     <filesystem type='mount'>
>       <source dir='/dev/net'/>
>       <target dir='/dev/net'/>
>     </filesystem>
>     <interface type='network'>
>       <mac address='52:54:00:3e:59:e9'/>
>       <source network='default'/>
>     </interface>
>     <console type='pty'>
>       <target type='lxc' port='0'/>
>     </console>
>   </devices>
> </domain>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20180129/0ad5db9f/attachment-0001.htm>

More information about the libvir-list mailing list