On 07/09/2013 05:51 AM, Thomas Karcher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Daniel, > > On 07/08/2013 11:41 AM, Daniel P. Berrange wrote: >>> the symptom my libvirt LXC container suffers from is: >>> root@depot:/dev/net# ls -la total 0 drwxr-xr-x 2 root root 40 >>> Jun 29 16:26 . drwxr-xr-x 5 root root 480 Jun 29 16:26 .. >>> root@depot:/dev/net# mknod tun c 10 200 mknod: `tun': Operation >>> not permitted >> Allowing the container direct access to the hosts' /dev would be a >> security flaw, so libvirt sets up a private /dev for the >> container. Allowing the container to use mknod would also be >> insecure, so we blocking mknod using both cgroups device ACL, and >> also droping the CAP_MKNOD capability. >> http://libvirt.org/drvlxc.html#devnodes > > Good to know. > >> Any device that the container is authorized to access per the XML >> configuration, will be pre-created in the container's /dev. To >> explicitly allow /dev/net/tun you need to tell libvirt about it. >> http://libvirt.org/formatdomain.html#elementsHostDevCaps > > Thanks! > > I extended the 'devices' section as follows: > > <hostdev mode='capabilities' type='misc'> > <source> > <char>/dev/net/tun</char> > </source> > </hostdev> > > ... because even though /dev/net/tun is used for networking, it > appears as a character device. (Btw: The documentation says in the > hostdev section: ''For block/character device passthrough mode is > always "capabilities" and type is "block" for a block device, "char" > for a character device and "net" for a host network interface.'' When > I specify type='char', I get an error from virsh.) > > With this XML, I can define the container. But upon start, I get the > following error message: > > Fehler: internal error guest failed to start: PATH=/bin:/sbin > TERM=linux container=lxc-libvirt > container_uuid=f3602503-9603-24aa-7dd8-fccc830a802b > LIBVIRT_LXC_UUID=f3602503-9603-24aa-7dd8-fccc830a802b > LIBVIRT_LXC_NAME=depot /sbin/init > 2013-07-08 21:36:50.735+0000: 1: info : libvirt version: 1.0.2 > 2013-07-08 21:36:50.735+0000: 1: error : > lxcContainerSetupHostdevCapsMisc:1490 : Unable to create device > /dev/net/tun: No such file or directory > 2013-07-08 21:36:50.744+0000: 19537: info : libvirt version: 1.0.2 > 2013-07-08 21:36:50.744+0000: 19537: error : virCommandWait:2287 : > internal error Child process (ip link set veth6 netns 19538) > unexpected exit status 2: RTNETLINK answers: No such process > > 2013-07-08 21:36:50.786+0000: 19537: error : virCommandWait:2287 : > internal error Child process (ip link del veth4) unexpected exit > status 1: Cannot find device "veth4" > > On the host, /dev/net/tun exists as character device: > > root@main:~# ls -la /dev/net/tun > crw-rw-rwT 1 root root 10, 200 Jul 8 23:45 /dev/net/tun > > What am I doing wrong ...? > You are right, it should be char device. libvirt lxc should create "net" directory atomically for the tun device. _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
