Everything works great now, thanks for all of your help!
> On Oct 10, 2014, at 2:13 AM, Lennart Poettering <lenn...@poettering.net> > wrote: > >> On Thu, 09.10.14 23:53, James Lott (ja...@lottspot.com) wrote: >> >> I am using a setup which retains the CAP_NET_ADMIN capability inside the >> container and allows openvpn to setup the device. No persistent devices are >> involved. Below, I have included a snippet from a shell session which shows >> the command used to invoke nspawn and then the openvpn command executed >> within >> the container which fails. > > The "devices" cgroup controller is used by nspawn to ensure code > running inside the container cannot freely create arbitrary device > nodes and then open them. What was missing here is to actually update > the policy for it to allow access to /dev/net/tun. I made that change > now, please check with the git version for nspawn if everything works > now. > > Lennart > > -- > Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel