[libvirt-users] How to use /dev/net/tun from libvirt-lxc with user namespacing enabled

[Daniel P. Berrangé]

On Mon, Jan 29, 2018 at 07:01:15PM -0300, Thiago Padilha wrote:
> I have a container rootfs that I use to keep all work-related stuff. This
> container was originally created by lxd (which creates all containers for
> use with user namespacing), but now I decided to start using libvirt for
> container management since I already use it for virtual machines, which
> will spare me from dealing with multiple hypervisor technologies.
> 
> I managed to create a working domain xml for the container, and everything
> seems to be working very well except one thing: I cannot start openconnect
> (VPN software) inside the container.  I noticed that by default libvirt
> won't create /dev/net/tun for the container, so I added this to the domain
> xml:
> 
>     <filesystem type='mount'>
>       <source dir='/dev/net'/>
>       <target dir='/dev/net'/>
>     </filesystem>
> 
> This successfully created /dev/net/tun in the container, but openconnect
> still can't open it even though it has 666 permissions. It seems this is
> exactly what lxd does to allow VPNs for their unprivileged containers, as
> shown by the output of ls -l /dev/net

That config makes the filesystem containing the device node visible, but
does not grant access to device nodes themselves.

You instead need device passthrough

<hostdev mode='capabilities' type='misc'>
  <source>
    <char>/dev/net/tun</char>
  </source>
</hostdev>



Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|