Operation not permitted on /dev/net/tun

[jbg]

I am trying to get slackhq's nebula to work on a qemu vm in proxmox. This particular VM was created with a script to install a home assistant os. When i go to start the nebula tunnel, i get the error:

ERRO[0000] Failed to get a tun/tap device error="operation not permitted"

I have been able to do this easily on another vm i created manually, so its something about this one VM. The config is below, not sure what else i can provide but let me know. Not sure if this is the right section or if it should be in the network section

agent: 1
bios: ovmf
boot: order=scsi0
cores: 2
cpu: host
efidisk0: local-lvm:vm-302-disk-0,efitype=4m,size=4M
localtime: 1
memory: 8192
meta: creation-qemu=8.0.2,ctime=1697049987
name: haos10.5
net0: virtio=02:D4:6E:8F:08:89,bridge=vmbr0
onboot: 1
ostype: l26
scsi0: local-lvm:vm-302-disk-1,cache=writethrough,discard=on,size=32G,ssd=1
scsihw: virtio-scsi-pci
smbios1: uuid=cf25b9f2-0b12-4a09-91ff-0d0caccd3aa1
startup: order=3
tablet: 0
tags:
usb0: host=10c4:ea60
vmgenid: 11d036fb-be3f-4331-b1cf-13c515974590

 

[jbg]

Maybe it would be helpful to see how the VMs are started since i can do this on another VM. Is there a way to see the startup command that the PVE webui initiates?

 

[leesteken]

Is there a way to see the startup command that the PVE webui initiates?

[B]qm showcmd VM_ID_NUMBER[/B]. I have never seen your issue before, and I have no clue what to investigate or to try.

EDIT: Comparing VM configurations is much easier (for humans) with qm config VM_ID_NUMBER.

 

[jbg]

[B]qm showcmd VM_ID_NUMBER[/B]. I have never seen your issue before, and I have no clue what to investigate or to try.

Thank you!

This is the one not permitting access to /net/dev/tun:

/usr/bin/kvm -id 302 -name 'haos10.5,debug-threads=on' -no-shutdown -chardev 'socket,id=qmp,path=/var/run/qemu-server/302.qmp,server=on,wait=off' -mon 'chardev=qmp,mode=control' -chardev 'socket,id=qmp-event,path=/var/run/qmeventd.sock,reconnect=5' -mon 'chardev=qmp-event,mode=control' -pidfile /var/run/qemu-server/302.pid -daemonize -smbios 'type=1,uuid=cf25b9f2-0b12-4a09-91ff-0d0caccd3aa1' -drive 'if=pflash,unit=0,format=raw,readonly=on,file=/usr/share/pve-edk2-firmware//OVMF_CODE_4M.fd' -drive 'if=pflash,unit=1,id=drive-efidisk0,format=raw,file=/dev/pve/vm-302-disk-0,size=540672' -smp '2,sockets=1,cores=2,maxcpus=2' -nodefaults -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' -vnc 'unix:/var/run/qemu-server/302.vnc,password=on' -cpu host,+kvm_pv_eoi,+kvm_pv_unhalt -m 8192 -device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' -device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' -device 'vmgenid,guid=11d036fb-be3f-4331-b1cf-13c515974590' -device 'piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2' -device 'qemu-xhci,p2=15,p3=15,id=xhci,bus=pci.1,addr=0x1b' -device 'usb-host,bus=xhci.0,port=1,vendorid=0x10c4,productid=0xea60,id=usb0' -device 'VGA,id=vga,bus=pci.0,addr=0x2' -chardev 'socket,path=/var/run/qemu-server/302.qga,server=on,wait=off,id=qga0' -device 'virtio-serial,id=qga0,bus=pci.0,addr=0x8' -device 'virtserialport,chardev=qga0,name=org.qemu.guest_agent.0' -device 'virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3,free-page-reporting=on' -iscsi 'initiator-name=iqn.1993-08.org.debian:01:73ab2e2bbb0' -device 'virtio-scsi-pci,id=scsihw0,bus=pci.0,addr=0x5' -drive 'file=/dev/pve/vm-302-disk-1,if=none,id=drive-scsi0,cache=writethrough,discard=on,format=raw,aio=io_uring,detect-zeroes=unmap' -device 'scsi-hd,bus=scsihw0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0,id=scsi0,rotation_rate=1,bootindex=100' -netdev 'type=tap,id=net0,ifname=tap302i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on' -device 'virtio-net-pci,mac=02:D4:6E:8F:08:89,netdev=net0,bus=pci.0,addr=0x12,id=net0,rx_queue_size=1024,tx_queue_size=256' -rtc 'base=localtime' -machine 'type=pc+pve0'

This one i can get access to /dev/dev/tun:

/usr/bin/kvm -id 301 -name 'torrents,debug-threads=on' -no-shutdown -chardev 'socket,id=qmp,path=/var/run/qemu-server/301.qmp,server=on,wait=off' -mon 'chardev=qmp,mode=control' -chardev 'socket,id=qmp-event,path=/var/run/qmeventd.sock,reconnect=5' -mon 'chardev=qmp-event,mode=control' -pidfile /var/run/qemu-server/301.pid -daemonize -smbios 'type=1,uuid=5cd26f5a-aabb-41f8-b57d-7c877c4f8976' -smp '1,sockets=1,cores=1,maxcpus=1' -nodefaults -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' -vnc 'unix:/var/run/qemu-server/301.vnc,password=on' -cpu qemu64,+aes,enforce,+kvm_pv_eoi,+kvm_pv_unhalt,+pni,+popcnt,+sse4.1,+sse4.2,+ssse3 -m 4096 -object 'iothread,id=iothread-virtioscsi0' -device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' -device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' -device 'pci-bridge,id=pci.3,chassis_nr=3,bus=pci.0,addr=0x5' -device 'vmgenid,guid=37987dab-01da-41e5-a33e-da76da158413' -device 'piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2' -device 'usb-tablet,id=tablet,bus=uhci.0,port=1' -device 'VGA,id=vga,bus=pci.0,addr=0x2' -device 'virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3,free-page-reporting=on' -iscsi 'initiator-name=iqn.1993-08.org.debian:01:73ab2e2bbb0' -drive 'if=none,id=drive-ide2,media=cdrom,aio=io_uring' -device 'ide-cd,bus=ide.1,unit=0,drive=drive-ide2,id=ide2,bootindex=100' -device 'virtio-scsi-pci,id=virtioscsi0,bus=pci.3,addr=0x1,iothread=iothread-virtioscsi0' -drive 'file=/dev/pve/vm-301-disk-0,if=none,id=drive-scsi0,format=raw,cache=none,aio=io_uring,detect-zeroes=on' -device 'scsi-hd,bus=virtioscsi0.0,channel=0,scsi-id=0,lun=0,drive=drive-scsi0,id=scsi0,bootindex=101' -netdev 'type=tap,id=net0,ifname=tap301i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on' -device 'virtio-net-pci,mac=5A:AB:0E:D8:15:33,netdev=net0,bus=pci.0,addr=0x12,id=net0,rx_queue_size=1024,tx_queue_size=256,bootindex=102' -machine 'type=pc+pve0'

Nothing really jumps out to me, but then again, im not sure what im looking for