Just noticed this list is for development-related discussions, sorry for sending support question. Will resend to libvirt-users.
On Mon, Jan 29, 2018 at 5:08 PM, Thiago Padilha <tpadilh...@gmail.com> wrote: > I have a container rootfs that I use to keep all work-related stuff. This > container was originally created by lxd (which creates all containers for > use with user namespacing), but now I decided to start using libvirt for > container management since I already use it for virtual machines, which > will spare me from dealing with multiple hypervisor technologies. > > I managed to create a working domain xml for the container, and everything > seems to be working very well except one thing: I cannot start openconnect > (VPN software) inside the container. I noticed that by default libvirt > won't create /dev/net/tun for the container, so I added this to the domain > xml: > > <filesystem type='mount'> > <source dir='/dev/net'/> > <target dir='/dev/net'/> > </filesystem> > > This successfully created /dev/net/tun in the container, but openconnect > still can't open it even though it has 666 permissions. It seems this is > exactly what lxd does to allow VPNs for their unprivileged containers, as > shown by the output of ls -l /dev/net > > total 0 > crw-rw-rw- 1 nobody nogroup 10, 200 Jan 29 13:23 tun > > The same container can also be successfully booted with systemd-nspawn, > also allowing openconnect to create its VPN. > > I already tried setting security driver to "none" in > /etc/libvirt/lxc.conf, but it had no effect. I get "Operation not > permitted" when trying to open /dev/net/tun, which is also the message > openconnect displays in its logs. > > Can someone guide me on how I might debug what is causing this error? BTW, > here's the full xml: > > <domain type='lxc'> > <name>work-stuff</name> > <uuid>ffee008c-ec6b-48ab-af6d-4aba830847a1</uuid> > <memory unit='KiB'>8388608</memory> > <currentMemory unit='KiB'>8388608</currentMemory> > <vcpu placement='static'>16</vcpu> > <resource> > <partition>/machine</partition> > </resource> > <os> > <type arch='x86_64'>exe</type> > <init>/sbin/init</init> > </os> > <idmap> > <uid start='0' target='165536' count='65536'/> > <gid start='0' target='165536' count='65536'/> > </idmap> > <cpu mode='host-model'> > <model fallback='allow'/> > </cpu> > <clock offset='utc'/> > <on_poweroff>destroy</on_poweroff> > <on_reboot>restart</on_reboot> > <on_crash>restart</on_crash> > <devices> > <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> > <filesystem type='mount' accessmode='passthrough'> > <source dir='/var/lib/libvirt/containers/work-stuff/rootfs'/> > <target dir='/'/> > </filesystem> > <filesystem type='mount'> > <source dir='/dev/net'/> > <target dir='/dev/net'/> > </filesystem> > <interface type='network'> > <mac address='52:54:00:3e:59:e9'/> > <source network='default'/> > </interface> > <console type='pty'> > <target type='lxc' port='0'/> > </console> > </devices> > </domain> > > > > > >
-- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list