On Fri, Feb 16, 2024 at 06:32:39PM +0100, Sven Geuer wrote: > Hi Paul and Aniol, > > I encountered the same issue while working on autopkgtests for the vpnc > package. Error message on salsa.d.o [1] is > > vpnc-connect: can't open /dev/net/tun, check that it is either device > char 10 200 or (with DevFS) a symlink to ../misc/net/tun (not > misc/net/tun): Operation not permitted > > The same error showed up running tests with my local debci/lxc > installation. > > After some research on the net I could fix the issue locally by adding > > lxc.cgroup2.devices.allow = c 10:200 rw > > to the lxc container's config file /var/lib/lxc/autopkgtest-unstable- > amd64/config. > > Now I wonder how to address the issue properly: > - Raise a bug against lxc-templates? > - Raise a bug against debci? > - Bring up the topic to the Salsa CI Team? > > Let me know how to proceed. None of these. Enabling access to arbitrary devices from containers is a source of security issues and we won't do it. You need to mark the test as requiring machine-level isolation¹, so it only runs on virtual machines. We do, however, have QEMU support where your test can freely interact with the kernel. ¹ Restrictions: isolation-machine
Attachment:
signature.asc
Description: PGP signature