Closed besendorf closed 4 years ago
I added the tun module on my host. (I didn't know that host and containe use the same kernel). Now Its enabled also in the container but the error is still the same:
alpine:~/openvpn$ docker-compose up
Creating network "openvpn_default" with the default driver
Creating openvpn ... done
Attaching to openvpn
openvpn | mknod: /dev/net/tun: Operation not permitted
alpine:~/openvpn$ docker-compose run --rm openvpn lsmod
Creating network "openvpn_default" with the default driver
Module Size Used by Not tainted
tun 36864 0
veth 20480 0
xt_nat 16384 26
xt_tcpudp 16384 30
ipt_MASQUERADE 16384 11
nf_conntrack_netlink 40960 0
nfnetlink 16384 2 nf_conntrack_netlink
xfrm_user 36864 1
xfrm_algo 16384 1 xfrm_user
iptable_nat 16384 7
nf_nat_ipv4 16384 2 ipt_MASQUERADE,iptable_nat
xt_addrtype 16384 2
iptable_filter 16384 1
ip_tables 24576 2 iptable_nat,iptable_filter
xt_conntrack 16384 9
x_tables 36864 7 xt_nat,xt_tcpudp,ipt_MASQUERADE,xt_addrtype,iptable_filter,ip_tables,xt_conntrack
nf_nat 36864 2 xt_nat,nf_nat_ipv4
nf_conntrack 122880 6 xt_nat,ipt_MASQUERADE,nf_conntrack_netlink,nf_nat_ipv4,xt_conntrack,nf_nat
nf_defrag_ipv6 16384 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
libcrc32c 16384 2 nf_nat,nf_conntrack
crc32c_generic 16384 0
br_netfilter 20480 0
bridge 147456 1 br_netfilter
stp 16384 1 bridge
llc 16384 2 bridge,stp
overlay 94208 6
nls_utf8 16384 1
nls_cp437 20480 1
vfat 20480 1
fat 65536 1 vfat
ipv6 413696 101 bridge,[permanent]
af_packet 40960 0
hid_generic 16384 0
usbmouse 16384 0
usbhid 28672 0
hid 106496 2 hid_generic,usbhid
mousedev 20480 0
psmouse 40960 0
i2c_core 61440 1 psmouse
e1000 106496 0
crct10dif_pclmul 16384 0
ghash_clmulni_intel 16384 0
pcbc 16384 0
aesni_intel 200704 0
aes_x86_64 20480 1 aesni_intel
crypto_simd 16384 1 aesni_intel
cryptd 24576 3 ghash_clmulni_intel,aesni_intel,crypto_simd
glue_helper 16384 1 aesni_intel
evdev 20480 4
button 16384 0
efivarfs 16384 1
crc32_pclmul 16384 0
crc32c_intel 24576 3
xhci_pci 16384 0
xhci_hcd 192512 1 xhci_pci
loop 32768 0
ext4 614400 1
crc16 16384 1 ext4
mbcache 16384 1 ext4
jbd2 106496 1 ext4
usb_storage 61440 0
usbcore 208896 5 usbmouse,usbhid,xhci_pci,xhci_hcd,usb_storage
usb_common 16384 1 usbcore
sd_mod 45056 4
However the file does not exist:
alpine:~/openvpn$ docker-compose run --rm openvpn ls -l /dev/net/tun
ls: /dev/net/tun: No such file or directory
My guess is, that you need to run the docker-compose as root (or with sudo
) so you get the permission to create /dev/net/tun.
docker run -v $OVPN_DATA:/etc/openvpn -v /dev/net/tun:/dev/net/tun -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
Result:
docker logs competent_davinci
mknod: /dev/net/tun: Operation not permitted
But
docker run -v $OVPN_DATA:/etc/openvpn -v /dev/net/tun:/dev/net/tun -d -p 1194:1194/udp --cap-add=NET_ADMIN kylemanna/openvpn
works well.
Maybe this help?
Yes, you need to look at cap_add
in the docker-compose container to create device nodes within. Alternatively you could run it as privileged, but I wouldn't recommend give it more privilege then needed.
Just an FYI, if running this image on RHEL8 with Podman, it is required to add the mknod capability:
podman container run -ti --log-driver=journald --log-opt tag="openvpn" --name openvpn \
-v '/tank/container-volumes/openvpn:/etc/openvpn' \
-p 1194:1194/udp \
--cap-add=net_admin,mknod \
kylemanna/openvpn:latest
I run this on Fedona 34, Linux wwfhome 5.13.19-200.fc34.x86_64 #1 SMP Sat Sep 18 16:32:24 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux, with "--cap-add=net_admin,mknod" $ sudo podman run -v ./openvpn-data/conf:/etc/openvpn -p 1194:1194/udp --cap-add=NET_ADMIN,mknod kylemanna/openvpn Result: iptables v1.8.4 (legacy): can't initialize iptables table `nat': Permission denied (you must be root) Perhaps iptables or your kernel needs to be upgraded.
Had a similar problem with iptables and ended up adding the NET_RAW
capability to the cap-add
. The way I figured it out, was to remove the privileged capabilities (sudo podman top -l capeff
) one by one, until the the command failed again/
On Fedora 37, I could not get this to run no matter what I tried (using docker, not podman).
Am also using docker-compose, have added all capabilities. Tried with docker run too, that didn't work either. Can't run privileged because that requires host network, and I want to use the ports option to bind it to a specific IP and port, and that doesn't allow privileged/host.
Here's the command I tried:
sudo docker run -it --rm --security-opt label=disable
-v $(pwd)/vol/openvpn:/etc/openvpn:Z
-v $(pwd)/cache/localtime:/etc/localtime:ro
--security-opt seccomp=unconfined --cap-add NET_ADMIN
--cap-add mknod --cap-add net_raw --cap-add ALL
--cap-add chown
-p <IP>:<PORT>:1194/tcp openvpn:latest
No matter what I do:
mknod: /dev/net/tun: Operation not permitted
Any suggestions/advice appreciated!
EDIT: with -e DEBUG=1
it spits outs a bunch of stuff, ending in:
++ OVPN_PUSH=()
++ declare -x OVPN_PUSH
++ OVPN_ROUTES=(['0']='192.168.254.0/24')
++ declare -x OVPN_ROUTES
++ declare -x OVPN_SERVER=192.168.255.0/24
++ declare -x OVPN_SERVER_URL=tcp://<domain>:443
++ declare -x OVPN_TLS_CIPHER=
+ mkdir -p /dev/net
+ '[' '!' -c /dev/net/tun ']'
+ mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: Operation not permitted
I'm using the build from this commit: 1228577d4598762285958ad98724ab37e7b11354
@taoeffect it doesn't work for me, either, but the port needs to be udp: <PORT>:1194/udp
, not tcp
.
When I run
docker-compose up
I get the error:mknod: /dev/net/tun: Operation not permitted
The tun module is not enabled in my kernel:Is used the docker-compose instruction from: https://github.com/kylemanna/docker-openvpn/blob/master/docs/docker-compose.md