search

luckyyyyy / blog

William Chan's Blog
https://williamchan.me/
172 stars 28 forks source link

在 Promoxe LXC 中需要用到 /dev/net/tun 映射方式 #54

Open luckyyyyy opened 3 years ago

luckyyyyy commented 3 years ago

https://www.kernel.org/doc/Documentation/networking/tuntap.txt

TUN/TAP provides packet reception and transmission for user space programs. It can be seen as a simple Point-to-Point or Ethernet device, which, instead of receiving packets from physical media, receives them from user space program and instead of sending packets via physical media writes them to the user space program.

部分 VPN 软件例如 OpenConnect 和 OpenVPN 需要用到 /dev/net/tun 有些还需要用到 tap,如果在 LXC 中默认是没有这部分设备的,非特权容器需要设置才可以。

# Promoxe 不要去 /var/lib/lxc/{id}/config 直接改,这样是不会生效的。
vim /etc/pve/lxc/{id}.conf  

# 挂载设备
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
# 设置权限
lxc.cgroup.devices.allow: c 10:200 rwm

cgroup 怎么写? 如果不懂是什么先看 https://linuxcontainers.org/lxc/manpages//man1/lxc-cgroup.1.html 由于这里不介绍 LXC,不展开。

cgroup 怎么写其实很简单,注意看下面, c 10 200

root@pve /dev/net$ ls -l /dev crw-rw-rw- 1 root root 10, 200 Sep 21 14:17 tun crw-rw-rw- 1 root root 10, 200 Sep 21 14:17 tun

lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
#lxc.cgroup.devices.allow = c 4:0 rwm
#lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# fuse
lxc.cgroup.devices.allow = c 10:229 rwm
# tun
lxc.cgroup.devices.allow = c 10:200 rwm
# full
lxc.cgroup.devices.allow = c 1:7 rwm
# hpet
lxc.cgroup.devices.allow = c 10:228 rwm
# kvm
lxc.cgroup.devices.allow = c 10:232 rwm
mcfd commented 3 months ago

lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir 已经不适用现在的了 引用:https://northes.io/posts/pve/lxc-netowrk/

luckyyyyy commented 3 months ago

lxc.cgroup2.devices.allow: c 10:200 rwm lxc.mount.entry: /dev/net dev/net none bind,create=dir 已经不适用现在的了 引用:https://northes.io/posts/pve/lxc-netowrk/

从pve7开始 需要写为cgroup2而不是cgroup