On 2016-02-14 09:00 AM, Simon Deziel wrote:
> On 2016-02-13 10:03 PM, Ryan Harper wrote:
>> On Sat, Feb 13, 2016 at 7:51 PM, Simon Déziel <email address hidden>
>>> libipsec support is very cool (thanks for enabling it!) as it should
>>> allow running a IPsec in containers.
>>>
>>>
>> Please do confirm if that's working. I suspect they'll need to be
>> privileged containers
>> or will need some additional permissions/configs for unprivileged since
>> it'll want access to
>> /dev/net/tun which won't be present by default.
Correct, for unprivileged containers, one has to make the tun device
available using:
lxc config device add $CTNAME tun unix-char path=/dev/net/tun
On 2016-02-14 09:00 AM, Simon Deziel wrote:
> On 2016-02-13 10:03 PM, Ryan Harper wrote:
>> On Sat, Feb 13, 2016 at 7:51 PM, Simon Déziel <email address hidden>
>>> libipsec support is very cool (thanks for enabling it!) as it should
>>> allow running a IPsec in containers.
>>>
>>>
>> Please do confirm if that's working. I suspect they'll need to be
>> privileged containers
>> or will need some additional permissions/configs for unprivileged since
>> it'll want access to
>> /dev/net/tun which won't be present by default.
Correct, for unprivileged containers, one has to make the tun device
available using:
lxc config device add $CTNAME tun unix-char path=/dev/net/tun
Then it works.
Thanks,
Simon