tun/tap broken in LXC in PVE 7

[jermudgeon]

With PVE 6.4, I had functional tun/tap (think ZeroTier) inside privileged LXC with the following config:

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file

In PVE 7, with or without features: mknod=1, ZeroTier now fails:
zerotier-one[171]: ERROR: unable to configure virtual network port: could not open TUN/TAP device: No such file or directory
No failure messages are logged on the host system (apparmor, for example), but several of these:
[43177.694811] audit: type=1400 audit(1625803544.343:276): apparmor="STATUS" operation="profile_replace" info="not policy admin" error=-13 label="lxc-105_</var/lib/lxc>//&:lxc-105_<-var-lib-lxc>:unconfined" pid=438874 comm="apparmor_parser"

Is there a guide for re-enabling node creation inside privileged containers? This has borked some of my LXC infrastructure. I'm happy to convert privileged back to unprivileged if required.

 

[jermudgeon]

Even more fascinating… attempting to convert a privileged container (mknod=1 still set) to unprivileged fails and destroys the LXC:
recovering backed-up configuration from 'cephfs:backup/vzdump-lxc-105-2021_07_08-20_19_10.tar.zst' /dev/rbd0 Creating filesystem with 4194304 4k blocks and 1048576 inodes Filesystem UUID: de0a2073-b908-48d6-9509-d4edce3e9b3b Superblock backups stored on blocks: 32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208, Removing image: 1% complete... Removing image: 2% complete...
<snip>
Removing image: 100% complete...done. restoring 'cephfs:backup/vzdump-lxc-105-2021_07_08-20_19_10.tar.zst' now.. extracting archive '/mnt/pve/cephfs/dump/vzdump-lxc-105-2021_07_08-20_19_10.tar.zst' tar: ./var/spool/postfix/dev/urandom: Cannot mknod: Operation not permitted tar: ./var/spool/postfix/dev/random: Cannot mknod: Operation not permitted Total bytes read: 3465881600 (3.3GiB, 58MiB/s) tar: Exiting with failure status due to previous errors

 

[fabian]

can you try with "lxc.cgroup2.devices.allow" ? PVE 7 uses the new cgroupv2 unless you force the old unified mode via the kernel command line..

 

[osod88]

I had the same exact problem after upgrading to PVE 7 yesterday, "lxc.cgroup2.devices.allow" as stated in the comment above resolved it.

 

[jermudgeon]

Thanks @fabian. I had read the release notes about cgroup2 but for some reason I thought the directives were forward compatible. <smh> All working now.