[libvirt-users] Permission problem with /dev/net/tun

Tue Jul 9 02:05:56 UTC 2013

On 07/09/2013 05:51 AM, Thomas Karcher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Daniel,
> 
> On 07/08/2013 11:41 AM, Daniel P. Berrange wrote:
>>> the symptom my libvirt LXC container suffers from is: 
>>> root at depot:/dev/net# ls -la total 0 drwxr-xr-x 2 root root  40
>>> Jun 29 16:26 . drwxr-xr-x 5 root root 480 Jun 29 16:26 .. 
>>> root at depot:/dev/net# mknod tun c 10 200 mknod: `tun': Operation
>>> not permitted
>> Allowing the container direct access to the hosts' /dev would be a
>> security flaw, so libvirt sets up a private /dev for the
>> container. Allowing the container to use mknod would also be
>> insecure, so we blocking mknod using both cgroups device ACL, and
>> also droping the CAP_MKNOD capability. 
>> http://libvirt.org/drvlxc.html#devnodes
> 
> Good to know.
> 
>> Any device that the container is authorized to access per the XML 
>> configuration, will be pre-created in the container's /dev. To 
>> explicitly allow /dev/net/tun you need to tell libvirt about it. 
>> http://libvirt.org/formatdomain.html#elementsHostDevCaps
> 
> Thanks!
> 
> I extended the 'devices' section as follows:
> 
>     <hostdev mode='capabilities' type='misc'>
>       <source>
>         <char>/dev/net/tun</char>
>       </source>
>     </hostdev>
> 
> ... because even though /dev/net/tun is used for networking, it
> appears as a character device. (Btw: The documentation says in the
> hostdev section: ''For block/character device passthrough mode is
> always "capabilities" and type is "block" for a block device, "char"
> for a character device and "net" for a host network interface.'' When
> I specify type='char', I get an error from virsh.)
> 
> With this XML, I can define the container. But upon start, I get the
> following error message:
> 
> Fehler: internal error guest failed to start: PATH=/bin:/sbin
> TERM=linux container=lxc-libvirt
> container_uuid=f3602503-9603-24aa-7dd8-fccc830a802b
> LIBVIRT_LXC_UUID=f3602503-9603-24aa-7dd8-fccc830a802b
> LIBVIRT_LXC_NAME=depot /sbin/init
> 2013-07-08 21:36:50.735+0000: 1: info : libvirt version: 1.0.2
> 2013-07-08 21:36:50.735+0000: 1: error :
> lxcContainerSetupHostdevCapsMisc:1490 : Unable to create device
> /dev/net/tun: No such file or directory
> 2013-07-08 21:36:50.744+0000: 19537: info : libvirt version: 1.0.2
> 2013-07-08 21:36:50.744+0000: 19537: error : virCommandWait:2287 :
> internal error Child process (ip link set veth6 netns 19538)
> unexpected exit status 2: RTNETLINK answers: No such process
> 
> 2013-07-08 21:36:50.786+0000: 19537: error : virCommandWait:2287 :
> internal error Child process (ip link del veth4) unexpected exit
> status 1: Cannot find device "veth4"
> 
> On the host, /dev/net/tun exists as character device:
> 
> root at main:~# ls -la /dev/net/tun
> crw-rw-rwT 1 root root 10, 200 Jul  8 23:45 /dev/net/tun
> 
> What am I doing wrong ...?
> 

You are right, it should be char device.

libvirt lxc should create "net" directory atomically for the tun device.