On Mon, Jan 29, 2018 at 07:01:15PM -0300, Thiago Padilha wrote:
I have a container rootfs that I use to keep all work-related stuff. This container was originally created by lxd (which creates all containers for use with user namespacing), but now I decided to start using libvirt for container management since I already use it for virtual machines, which will spare me from dealing with multiple hypervisor technologies.
I managed to create a working domain xml for the container, and everything seems to be working very well except one thing: I cannot start openconnect (VPN software) inside the container. I noticed that by default libvirt won't create /dev/net/tun for the container, so I added this to the domain xml:
<filesystem type='mount'> <source dir='/dev/net'/> <target dir='/dev/net'/> </filesystem>
This successfully created /dev/net/tun in the container, but openconnect still can't open it even though it has 666 permissions. It seems this is exactly what lxd does to allow VPNs for their unprivileged containers, as shown by the output of ls -l /dev/net
That config makes the filesystem containing the device node visible, but does not grant access to device nodes themselves. You instead need device passthrough <hostdev mode='capabilities' type='misc'> <source> <char>/dev/net/tun</char> </source> </hostdev> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|