[libvirt-users] How to use /dev/net/tun from libvirt-lxc with user namespacing enabled
Daniel P. Berrangé
berrange at redhat.com
Wed Jan 31 09:18:41 UTC 2018
On Mon, Jan 29, 2018 at 07:01:15PM -0300, Thiago Padilha wrote:
> I have a container rootfs that I use to keep all work-related stuff. This
> container was originally created by lxd (which creates all containers for
> use with user namespacing), but now I decided to start using libvirt for
> container management since I already use it for virtual machines, which
> will spare me from dealing with multiple hypervisor technologies.
>
> I managed to create a working domain xml for the container, and everything
> seems to be working very well except one thing: I cannot start openconnect
> (VPN software) inside the container. I noticed that by default libvirt
> won't create /dev/net/tun for the container, so I added this to the domain
> xml:
>
> <filesystem type='mount'>
> <source dir='/dev/net'/>
> <target dir='/dev/net'/>
> </filesystem>
>
> This successfully created /dev/net/tun in the container, but openconnect
> still can't open it even though it has 666 permissions. It seems this is
> exactly what lxd does to allow VPNs for their unprivileged containers, as
> shown by the output of ls -l /dev/net
That config makes the filesystem containing the device node visible, but
does not grant access to device nodes themselves.
You instead need device passthrough
<hostdev mode='capabilities' type='misc'>
<source>
<char>/dev/net/tun</char>
</source>
</hostdev>
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvirt-users
mailing list