OpenVPN and /dev/net/tun related software may not work when containerd >= 1.74

[jcondor98]

Operating System

ArchLinux

Kathará Version

3.7.6

Bug Description

With recent versions of Docker and containerd (>= 1.74), OpenVPN does not work in Kathara devices.
This is most likely due to a known issue of runc 1.2.2 (dependency of containerd 1.7.4).

Eventually, this will become a problem for most of the users (Debian Sid is already using containerd 1.7.4).

Trying to instance an OpenVPN server (clients behave the same way), the following error is raised (verb 2 in OpenVPN configuration file):

root@s1:~# openvpn server.conf
Mon Jan  6 09:23:30 2025 WARNING: file '/root/myserver.key' is group or others accessible
Mon Jan  6 09:23:30 2025 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Mon Jan  6 09:23:30 2025 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Enter Private Key Password:
Mon Jan  6 09:23:33 2025 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jan  6 09:23:33 2025 ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
Mon Jan  6 09:23:33 2025 Exiting due to fatal error

Workaround: Start the kathara lab as privileged:

sudo kathara lstart --privileged

Keep in mind that a privileged instance of Kathara does not start terminals automatically, so you need to connect to nodes manually with kathara connect (without sudo is fine).

Steps To Reproduce

Create a simple laboratory (also a single node should be sufficient) and try to start an OpenVPN instance (client or server is irrelevant).
I already created one for fast reproduction.

lab-openvpn-issue.tar.gz

More details on the README.md file inside the laboratory.

Expected Behavior

There should be a way to make /dev/net/tun accessible (and to add NET_ADMIN as a container capability), either automatically or by setting it in lab.conf for single devices, so that the following works as expected:

root@s1:~# openvpn server.conf
Mon Jan  6 09:27:17 2025 WARNING: file '/root/myserver.key' is group or others accessible
Mon Jan  6 09:27:17 2025 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Mon Jan  6 09:27:17 2025 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
Enter Private Key Password:
Mon Jan  6 09:27:20 2025 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Jan  6 09:27:20 2025 TUN/TAP device tun0 opened
Mon Jan  6 09:27:20 2025 /sbin/ip link set dev tun0 up mtu 1500
Mon Jan  6 09:27:20 2025 /sbin/ip addr add dev tun0 10.8.0.1/24 broadcast 10.8.0.255
Mon Jan  6 09:27:20 2025 Could not determine IPv4/IPv6 protocol. Using AF_INET
Mon Jan  6 09:27:20 2025 UDPv4 link local (bound): [AF_INET][undef]:1194
Mon Jan  6 09:27:20 2025 UDPv4 link remote: [AF_UNSPEC]
Mon Jan  6 09:27:20 2025 Initialization Sequence Completed

(This output was generated in a Kathara environment started as --privileged).

Check Command Output

Current Manager is:             Docker (Kathara)
Manager version is:             27.3.1
Python version is:              3.11.8 (main, Feb 12 2024, 14:50:05) [GCC 13.2.1 20230801]
Kathara version is:             3.7.6
Operating System version is:    Linux-6.12.6-zen1-1-zen-x86_64
✓ Container run successfully.