Create tun device from within a container

Discussion:

Berk Birand

2014-02-26 07:42:29 UTC

Hi,

I'm trying to run an OpenVPN client from within a docker image. I've
installed it, and things seem to work fine, until it gets to the point
where the client creates the tun device:

...
Wed Feb 26 07:40:44 2014 Note: Cannot open TUN/TAP dev /dev/net/tun: No
such file or directory (errno=2)
...

I can see that from within the container, there is no /dev/net/tun device
in place. I also found out that mknod doesn't work from within a container.
The /dev/net/tun device does exist on the host interface. Is there a way to
also make this device available within a container, since they can't be
created there?

Thanks,
bB

Brian Lalor

2014-02-26 11:13:50 UTC

Permalink

I can see that from within the container, there is no /dev/net/tun device in place. I also found out that mknod doesn't work from within a container. The /dev/net/tun device does exist on the host interface. Is there a way to also make this device available within a container, since they can't be created there?

mknod requires -privileged when starting the container, or you can create the node when you build the image. You should also be able to bind-mount the file when launching the container.

--
Brian Lalor
***@bravo5.org

Jérôme Petazzoni

2014-03-04 20:42:02 UTC

Permalink

You will need the "-privileged" flag -- not only to create /dev/net/tun, but
also to actually use it, manipulate routing tables, etc.

I wrote a bit about Docker + OpenVPN a while ago:
http://blog.docker.io/2013/09/docker-joyent-openvpn-bliss/

HTH,

Post by Berk Birand
I can see that from within the container, there is no /dev/net/tun device
in place. I also found out that mknod doesn't work from within a container.
The /dev/net/tun device does exist on the host interface. Is there a way to
also make this device available within a container, since they can't be
created there?
mknod requires -privileged when starting the container, or you can create
the node when you build the image. You should also be able to bind-mount
the file when launching the container.
--
Brian Lalor

--
@jpetazzo <https://twitter.com/jpetazzo>
Latest blog post:
http://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/

Pierre Masci

2014-05-23 22:19:14 UTC

Permalink

I solved the same issue in my container, by using the "-privileged" flag
when doing "docker run", and then following these instructions<http://wiki.vpslink.com/TUN/TAP_device_with_OpenVPN_or_Hamachi> from
inside the container:

1. sudo mkdir -p /dev/net
2. sudo mknod /dev/net/tun c 10 200
3. sudo chmod 600 /dev/net/tun
4. sudo cat /dev/net/tun to test whether the TUN/TAP device is
available:
- If you receive the message *cat: /dev/net/tun: File descriptor in
bad state* your TUN/TAP device is ready for use
- If you receive the message *cat: /dev/net/tun: No such device* the
TUN/TAP device was not successfully created: contact VPSLink Support<https://my.vpslink.com/> for
assistance

I don't know what tun is, but by following these instructions I got openvpn
to work here! Merci Jerome!
The next step for me is to automate this job in Ansible, in my openvpn role
(I think it belongs there rather than in the Dockerfile)... but I'll do
that another day.

Thank you Berk, for asking the question here, it's so so good to get an
answer. It's like, the last step to reach a destination. The route was long
and filled with monsters. We beat the crÃªpes out of them :D

You will need the "-privileged" flag â not only to create /dev/net/tun,
but also to actually use it, manipulate routing tables, etc.
http://blog.docker.io/2013/09/docker-joyent-openvpn-bliss/
HTH,

--
@jpetazzo <https://twitter.com/jpetazzo>
http://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/