[libvirt-users] Permission problem with /dev/net/tun
Thomas Karcher
thkarcher at gmx.de
Mon Jul 8 21:51:40 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Daniel,
On 07/08/2013 11:41 AM, Daniel P. Berrange wrote:
>> the symptom my libvirt LXC container suffers from is:
>> root at depot:/dev/net# ls -la total 0 drwxr-xr-x 2 root root 40
>> Jun 29 16:26 . drwxr-xr-x 5 root root 480 Jun 29 16:26 ..
>> root at depot:/dev/net# mknod tun c 10 200 mknod: `tun': Operation
>> not permitted
> Allowing the container direct access to the hosts' /dev would be a
> security flaw, so libvirt sets up a private /dev for the
> container. Allowing the container to use mknod would also be
> insecure, so we blocking mknod using both cgroups device ACL, and
> also droping the CAP_MKNOD capability.
> http://libvirt.org/drvlxc.html#devnodes
Good to know.
> Any device that the container is authorized to access per the XML
> configuration, will be pre-created in the container's /dev. To
> explicitly allow /dev/net/tun you need to tell libvirt about it.
> http://libvirt.org/formatdomain.html#elementsHostDevCaps
Thanks!
I extended the 'devices' section as follows:
<hostdev mode='capabilities' type='misc'>
<source>
<char>/dev/net/tun</char>
</source>
</hostdev>
... because even though /dev/net/tun is used for networking, it
appears as a character device. (Btw: The documentation says in the
hostdev section: ''For block/character device passthrough mode is
always "capabilities" and type is "block" for a block device, "char"
for a character device and "net" for a host network interface.'' When
I specify type='char', I get an error from virsh.)
With this XML, I can define the container. But upon start, I get the
following error message:
Fehler: internal error guest failed to start: PATH=/bin:/sbin
TERM=linux container=lxc-libvirt
container_uuid=f3602503-9603-24aa-7dd8-fccc830a802b
LIBVIRT_LXC_UUID=f3602503-9603-24aa-7dd8-fccc830a802b
LIBVIRT_LXC_NAME=depot /sbin/init
2013-07-08 21:36:50.735+0000: 1: info : libvirt version: 1.0.2
2013-07-08 21:36:50.735+0000: 1: error :
lxcContainerSetupHostdevCapsMisc:1490 : Unable to create device
/dev/net/tun: No such file or directory
2013-07-08 21:36:50.744+0000: 19537: info : libvirt version: 1.0.2
2013-07-08 21:36:50.744+0000: 19537: error : virCommandWait:2287 :
internal error Child process (ip link set veth6 netns 19538)
unexpected exit status 2: RTNETLINK answers: No such process
2013-07-08 21:36:50.786+0000: 19537: error : virCommandWait:2287 :
internal error Child process (ip link del veth4) unexpected exit
status 1: Cannot find device "veth4"
On the host, /dev/net/tun exists as character device:
root at main:~# ls -la /dev/net/tun
crw-rw-rwT 1 root root 10, 200 Jul 8 23:45 /dev/net/tun
What am I doing wrong ...?
Thanks
Thomas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlHbNGwACgkQiMyIQtYO79zOwgCdFVzn0JopHK+ZY2ZshgZnuz6L
Yx8An3BL/2sfLTFSs39yNkB0FXzq9K/4
=xRtO
-----END PGP SIGNATURE-----
More information about the libvirt-users
mailing list