Enabling the creation of TUN devices

NVIDIA / enroot

A simple yet powerful tool to turn traditional container/OS images into unprivileged sandboxes.

Apache License 2.0

649 stars 94 forks source link

Enabling the creation of TUN devices #178

Open icsy7867 opened 10 months ago

icsy7867 commented 10 months ago

Hello! I have a rather strange implementation. I am trying to connect the jail to another host via a wireguard tunnel. If using docker, it works fine. However enroot does not seem to allow the creation of network interfaces.

ERROR: (peer) 2024/01/26 13:54:06 Failed to create TUN device: operation not permitted
Unable to access interface: Protocol not supported

I was curious if anyone knew of a setting or a way to make something like this work. Thanks!

3XX0 commented 10 months ago

You need privileges to do that and Enroot by design doesn't grant you more privileges that you have. There's no network namespace by default either for the same reason.

You can run the container as root (superuser) if your enroot config allows it. Alternatively you can unshare a network namespace inside the container, but you would have to wire it to your host network somehow (slirp, veth, etc)