[libvirt-users] How to use /dev/net/tun from libvirt-lxc with user namespacing enabled

Thiago Padilha tpadilha84 at gmail.com
Mon Jan 29 22:01:15 UTC 2018

I have a container rootfs that I use to keep all work-related stuff. This
container was originally created by lxd (which creates all containers for
use with user namespacing), but now I decided to start using libvirt for
container management since I already use it for virtual machines, which
will spare me from dealing with multiple hypervisor technologies.

I managed to create a working domain xml for the container, and everything
seems to be working very well except one thing: I cannot start openconnect
(VPN software) inside the container.  I noticed that by default libvirt
won't create /dev/net/tun for the container, so I added this to the domain

    <filesystem type='mount'>
      <source dir='/dev/net'/>
      <target dir='/dev/net'/>

This successfully created /dev/net/tun in the container, but openconnect
still can't open it even though it has 666 permissions. It seems this is
exactly what lxd does to allow VPNs for their unprivileged containers, as
shown by the output of ls -l /dev/net

total 0
crw-rw-rw- 1 nobody nogroup 10, 200 Jan 29 13:23 tun

The same container can also be successfully booted with systemd-nspawn,
also allowing openconnect to create its VPN (though systemd-nspawn appears
to create a new device node, owned by root relative to the user namespace).

I already tried setting security driver to "none" in /etc/libvirt/lxc.conf,
but it had no effect. I get "Operation not permitted" when trying to open
/dev/net/tun, which is also the message openconnect displays in its logs.

Can someone guide me on how I might debug what is causing this error? BTW,
here's the full xml:

<domain type='lxc'>
  <memory unit='KiB'>8388608</memory>
  <currentMemory unit='KiB'>8388608</currentMemory>
  <vcpu placement='static'>16</vcpu>
    <type arch='x86_64'>exe</type>
    <uid start='0' target='165536' count='65536'/>
    <gid start='0' target='165536' count='65536'/>
  <cpu mode='host-model'>
    <model fallback='allow'/>
  <clock offset='utc'/>
    <filesystem type='mount' accessmode='passthrough'>
      <source dir='/var/lib/libvirt/containers/work-stuff/rootfs'/>
      <target dir='/'/>
    <filesystem type='mount'>
      <source dir='/dev/net'/>
      <target dir='/dev/net'/>
    <interface type='network'>
      <mac address='52:54:00:3e:59:e9'/>
      <source network='default'/>
    <console type='pty'>
      <target type='lxc' port='0'/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20180129/0d8035d6/attachment.htm>

More information about the libvirt-users mailing list