New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow access to /dev/net/tun inside containers (port to 16.09) #19523
Conversation
This adds the containers.<name>.enableTun option allowing containers to access /dev/net/tun. This is required by openvpn, tinc, etc. in order to work properly inside containers. The new option builds on top of two generic options containers.<name>.additionalCapabilities and containers.<name>.allowedDevices which also can be used for example when adding support for FUSE later down the road. Backported to 16.09.
@rasendubi, thanks for your PR! By analyzing the history of the files in this pull request, we identified @kampfschlaefer, @edolstra and @ericbmerritt to be potential reviewers. |
Thanks! I've checked this patch on top of 6751f94
|
Hi, I'm not sure this is a change eligible for backporting to stable, however perhaps so. Usually the only backports are security fixes and major bugfixes. This one seems a bit more minor / enhancement category. That said, I'm not any sort of final decider on that, so I'll ping some people. Thank you! |
The bug makes openvpn unusable inside containers. I believe that's pretty major for some people. |
Correct me if I'm wrong, but #18822 added the ability to run openvpn in containers, and before that it was impossible. In that sense, it is a feature addition and not a bug fix. In fact, the features being added are:
While I hear the pain from not having these features, in that you can't run openvpn in the container, it is similar to saying it is a bug that you cannot run frotz in stable either, which is a new package introduced in unstable. It is also a fairly large and invasive change. This is pretty tough to backport to our stable release, as we very much want to keep it stable. It would require extensive and careful testing to port. |
@grahamc Actually, I'm the person who requested this PR. I have openVPN in containers in production on nixos-16.03 I guess the regression was introduced by fd5bbdb, which ended up in 16.09 Some guys fixed that by introducing "an ability" to enable openvpn back (which is this PR about). In some sense the fix introduces new features, I agree here, but To be pedantic, this should be in release notes too. But I guess those little people affected can google the problem. |
cc @domenkozar could I get your eyes on this? |
I'm very vague about that part of our ecosystem and I won't have time to dig into this soon. Maybe @edolstra has thoughts? |
@grahamc security |
I want to weight in here: Of course maintainers might think otherwise. But I would really, really love to see a test for this feature and maybe also for openvpn in general. NixOS/nixpkgs provides an excellent infrastructure to set up these kind of tests. We should use it and maybe enforce usage of it. And if the test infrastructure is not up to par: the more users, the more fixers. |
@kampfschlaefer I agree with you, that there should be more tests. I've adapted the above nixops deployment as NixOS test Please, test as following:
This proves the regression. In similar manner it is easy to show, that adding The
|
From my point of view this is in fact a regression. Yes, there was no test covering this functionality, which is indeed very unfortunate. But it was trivially & without hacks possible through the NixOS module system to enable and use the openvpn service in a NixOS container. This is not only a problem for VPN daemons but all services requiring special device nodes. We've thus removed useful and expectable functionality in 16.09 compared to 16.03 without and an easy and natural way to override these restrictions using the module system. Classical regression IMHO. Thanks for the test! LGTM in principle, could you please open another PR for that? This commit does indeed touch a lot of chunks of code in the container code which also makes me feel a bit uneasy. I've checked the history of
Therefore I think it's safe and useful to backport this to 16.09. 👍 |
@danbst, could you please open a PR for adding the test to NixOS test suite? |
Sorry I missed this for so long...! |
Motivation for this change
This is a backport of #18822 to 16.09. Fixes #18708.
Note that I haven't tested this.
/cc author @wlhlm, and @danbst who is interested in this.
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)