You are not logged in.
Hi,
I am running an OpenVPN server via Docker since some years. It worked so far since yesterday. I did not change the OpenVPN settings or the docker setup. But I think I updated and rebooted the system (pacman -Syu).
Since this I am getting the following message when starting up the docker container:
2024-11-10 13:45:20 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
My docker container is setup via a docker compose file with the following entry:
openvpn:
image: martin/openvpn
restart: always
cap_add:
- NET_ADMIN
ports:
- "1195:1194/udp"
volumes:
- ${LOCAL_OPENVPN}/data:/etc/openvpn
- ${LOCAL_OPENVPN}/openvpn.conf:/etc/openvpn/openvpn.conf
- /etc/localtime:/etc/localtime:ro
So far I have found as a solution to restart the machine which did not help. I have checked if the tun module is enabled and loaded in the kernel, via:
lsmod | grep tun
which returns
tun 69632 0
So I assume everthing is in order, isn't it? As far as I understood the setting cap_add with NET_ADMIN should enable the docker container to get the correct priviliges.
Any suggestions are appreciated, thank you!
Last edited by Burner (2024-11-12 09:24:47)
Offline
But I think I updated and rebooted the system (pacman -Syu).
Make sure your running kernel matches the version under "/lib/modules" (missing reboot).
cat /proc/version
ls -l /lib/modules
Offline
Seems to be matching:
cat /proc/version
Linux version 6.6.60-1-lts (linux-lts@archlinux) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Fri, 08 Nov 2024 16:03:02 +0000
ls -l /lib/modules
drwxr-xr-x 3 root root 4096 9. Nov 22:16 6.6.60-1-lts
drwxr-xr-x 3 root root 4096 2. Nov 18:52 6.11.6-arch1-1
Forgot to tell that I already checked prior via:
uname -a
Linux james 6.6.60-1-lts #1 SMP PREEMPT_DYNAMIC Fri, 08 Nov 2024 16:03:02 +0000 x86_64 GNU/Linux
pacman -Q linux linux-lts
linux 6.11.6.arch1-1
linux-lts 6.6.60-1
Offline
It's a permission issue. Try adding privileged: true to your compose file. Edit below.
openvpn:
image: martin/openvpn
privileged: true
restart: always
cap_add:
- NET_ADMIN
ports:
- "1195:1194/udp"
volumes:
- ${LOCAL_OPENVPN}/data:/etc/openvpn
- ${LOCAL_OPENVPN}/openvpn.conf:/etc/openvpn/openvpn.conf
- /etc/localtime:/etc/localtime:ro
Offline
Thanks gid10t, adding "priviliged: true" gets the container running and my VPN working again!
Do you have any idea why this setting is necessary now but was not like a week ago? As I understood this setting will allow my container more than just connect to the TUN module (like access to all my devices, I found in a quick search). I assume this is a potential security risk?
Offline
Do you have any idea why this setting is necessary now but was not like a week ago? As I understood this setting will allow my container more than just connect to the TUN module (like access to all my devices, I found in a quick search). I assume this is a potential security risk?
Unsure on what changed but I encountered this very recently after an update as well. After verifying permissions on the docker container and various other troubleshooting, the privileged setting resolved my issue.
Disclaimer:
It does grant the docker container rights outside the scope of what you need in your use case. I would worry about this less as a remote exploit (though still possible) and one more tangible on a shared workstation. If you have a user that doesn't have root access but uses a container with those settings, it could be abused. That being said, always be cautious using compose files you didn't write yourself or from sources you can't verify.
Offline
Marking the thread as resolved.
If someone finds this thread and knows what changed to make the privileged setting necessary please leave an explanation.
Thanks!
Offline
There's no need to go that far: it works for me without the privileged setting if I pass the /dev/net/tun device from the host. However, it's a mystery to me as well, because it used to work fine for me too without passing this device, just creating it inside the container with mknod, and now it does not.
Offline
Asuranceturix can you post how to pass the tun device into the docker container?
I would like to apply this method to avoid using the privileged setting.
Offline
Asuranceturix can you post how to pass the tun device into the docker container?
I would like to apply this method to avoid using the privileged setting.
Assuming you are using docker compose, add this to your compose.yml:
services:
your-container:
...
devices:
- /dev/net/tun
...
Offline
It's because containerd updated runc 1.2.1, see https://github.com/containerd/containerd/issues/11078
Offline
Thanks tw1024!
I think this clears up the question what changed.
Here is the link to the answer to the issue at github:
https://github.com/containerd/container … 2510511238
So the change was intentional and the solution provided by minh2134 is the intended way to go.
Offline