Mknod in an unprivileged lxc container

[Dilnane]

Hi, I'm facing some issues trying to build a sock5 proxy container (with docker-ce) inside an unprivileged lxc container.

I put the feature "mknod=1" (which is experimental I get it.)
No matter this feature, the command mknod performed inside my lxc container returns an error

~# mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: Operation not permitted

So in my docker-ce container it gives me obviously this error too :

2021-08-17 10:50:25 OUT [OPENVPN] Creating OpenVPN TUN device
2021-08-17 10:50:25 ERR [OPENVPN] mknod: /dev/net/tun: Operation not permitted
2021-08-17 10:50:25 ERR [OPENVPN] chmod: cannot access '/dev/net/tun': No such file or directory

So Is there a way to resolve my problem without getting the lxc container privileged ?

I say something with which consist to mount it on the host side, but I didn't succeed to do it either.
I tried the answer of "Kent" here https://qastack.fr/ubuntu/650471/how-do-i-allow-dev-net-tun-in-a-lxd-managed-lxc-container I got my /dev/net/tun on my lxc side but still same error inside my docker-ce container.

Thanks.

 

[wbumiller]

The mknod feature flag only enables a set of harmless device nodes to be created. For tun you can only bindmount it, but it will not be possible to use `mknod` to create another and for now this is not directly supported as the `mknod` feature is currently not configurable any further.

 

[leesteken]

I'm sure there are threads on this forum that explain this for running VPN clients in containers, but I could not find the right one.
I use something like this on the Proxmox host to create a tun dev node with permissions for the root user inside unprivileged containers: /usr/sbin/modprobe tun && /usr/bin/mknod /dev/net/tun-lxc c 10 200 && /usr/bin/chown 100000:100000 /dev/net/tun-lxc (at every boot because it is not persistent). And then use a bind mount in the container configuration: lxc.mount.entry: /dev/net/tun-lxc dev/net/tun none bind,create=file.