[lxc-users] OpenVPN in Debian Jessie container

Fajar A. Nugraha list at fajar.net
Mon May 30 05:20:30 UTC 2016


On Mon, May 30, 2016 at 12:05 AM, Joshua Schaeffer <jschaeffer0922 at gmail.com
> wrote:

> I'm trying to setup OpenVPN in an unprivileged container. The host and
> container are both Debian Jessie on LXC version 1.1.5. When I try to start
> OpenVPN I get:
>
> Sat May 28 20:55:57 2016 us=360137 ERROR: Cannot open TUN/TAP dev
> /dev/net/tun: No such file or directory (errno=2)
>
> So it makes sense that the container can't create the tun device so I
> looked around and found suggestions to add an autodev hook:
>
> lxc.cgroup.devices.deny = a
> lxc.cgroup.devices.allow = c 10:200 rwm
> lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir
> net; mknod net/tun c 10 200; chmod 0666 net/tun"
>
>

For starters, from "man lxc.container.conf"

lxc.hook.autodev
              A hook to be run in the container's namespace after mounting
              has been done and after any mount hooks have run, but before
              the pivot_root, if lxc.autodev == 1.

You can never modprobe in unprivileged container's namespace.

Another thing, AFAIK the hooks only accepts one parameter: a script name.
So you need to have a script (e.g. /usr/local/bin/my_script) inside the
container.

My best advice is to bind-mount /dev/net/tun from the host
(lxc.mount.entry) instead of using lxc.hook.autodev, and try again. I"m not
even sure that /dev/net/tun works for unpriv containers (fuse doesn't), so
if that still doesn't work, you probably want to try privileged container.

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160530/abfc5ec8/attachment.html>


More information about the lxc-users mailing list