Docker container TUN限制

现象

在 Docker container 中创建 TUN 设备时会报错，即使切换到 root 身份依然失败：

(trusty)zzm@localhost:~$ sudo tunctl -t tun0
TUNSETIFF failed: Operation not permitted

提示

上面的例子是我在 Cloud9 workspace 中尝试使用 TUN 设备时出现的错误，实际如果在 Docker container 中使用 OpenVPN、OpenConnect 等依赖 TUN/TAP 的软件都会有这个问题。

原因

By default, Docker containers are started with a reduced set of linux capabilities (see man capabilities). The reduced set doesn't include some network related functionality (presumably so that containers can't sniff traffic from the host or other containers).

解决方法

To start a container with full network capabilities, either explicitly add the SYS_NET_ADMIN capability with --cap-add argument e.g:

docker run -d --cap-add SYS_NET_ADMIN myimage

Or give the container the full set of privileges with --privileged e.g:

docker run -d --privileged myimage