Mknod in an unprivileged lxc container

Dilnane

Member
Aug 17, 2021
9
0
6
28
Hi, I'm facing some issues trying to build a sock5 proxy container (with docker-ce) inside an unprivileged lxc container.

I put the feature "mknod=1" (which is experimental I get it.)
No matter this feature, the command mknod performed inside my lxc container returns an error

Bash:
~# mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: Operation not permitted

So in my docker-ce container it gives me obviously this error too :
Bash:
2021-08-17 10:50:25 OUT [OPENVPN] Creating OpenVPN TUN device
2021-08-17 10:50:25 ERR [OPENVPN] mknod: /dev/net/tun: Operation not permitted
2021-08-17 10:50:25 ERR [OPENVPN] chmod: cannot access '/dev/net/tun': No such file or directory

So Is there a way to resolve my problem without getting the lxc container privileged ?

I say something with which consist to mount it on the host side, but I didn't succeed to do it either.
I tried the answer of "Kent" here https://qastack.fr/ubuntu/650471/how-do-i-allow-dev-net-tun-in-a-lxd-managed-lxc-container I got my /dev/net/tun on my lxc side but still same error inside my docker-ce container.

Thanks.
 
The mknod feature flag only enables a set of harmless device nodes to be created. For tun you can only bindmount it, but it will not be possible to use `mknod` to create another and for now this is not directly supported as the `mknod` feature is currently not configurable any further.
 
I'm sure there are threads on this forum that explain this for running VPN clients in containers, but I could not find the right one.
I use something like this on the Proxmox host to create a tun dev node with permissions for the root user inside unprivileged containers: /usr/sbin/modprobe tun && /usr/bin/mknod /dev/net/tun-lxc c 10 200 && /usr/bin/chown 100000:100000 /dev/net/tun-lxc (at every boot because it is not persistent). And then use a bind mount in the container configuration: lxc.mount.entry: /dev/net/tun-lxc dev/net/tun none bind,create=file.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!