I run an openvpn client inside a podman container (with podman-compose:sudo podman-compose -f compose.yaml up -d).
Everything worked fine until recently. Now running the command above, openvpn fails with an error :
ERROR: Cannot open TUN/TAP dev /dev/net/tun: Operation not permitted (errno=1)
Last time I successfully started the containers was about two weeks ago and I have not modified any configs since.
I think maybe some recent update (e.g. kernel or selinux or podman) broke my setup. I am running podman 5.2.5 and in silverblue 41 with kernel 6.11.6-300.fc41.x86_64. Does anyone have any clues?
Still not working. I checked the capabilities of the bash process (PID 7737) of the container using the command sudo getpcaps 7737. It has the following capabilities:
After recent update, the bug has been fixed in the upstream. But I think I still should write it down here.
After updating the system, the container without privileged: true flag worked again without producing the error. By rolling back to the previous deployment, and the error reappeared. So the culprit should be one of the following packages (output by rpm-ostree db diff):
I think netavark or crun might be the culprit because they are related to the container and their change logs show its update date is approximately when I encountered the problem:
Output of rpm -q --changelog crun:
* Fri Dec 06 2024 Packit <hello@packit.dev> - 1.19-1
- Update to 1.19 upstream release
* Thu Oct 31 2024 Packit <hello@packit.dev> - 1.18.2-1
- Update to 1.18.2 upstream release
* Wed Oct 30 2024 Packit <hello@packit.dev> - 1.18.1-1
- Update to 1.18.1 upstream release
Output of rpm -q --changelog netavark:
* Thu Dec 05 2024 Packit <hello@packit.dev> - 2:1.13.1-1
- Update to 1.13.1 upstream release
* Tue Oct 29 2024 Packit <hello@packit.dev> - 2:1.13.0-1
- Update to 1.13.0 upstream release
* Mon Aug 19 2024 Packit <hello@packit.dev> - 2:1.12.2-1
- Update to 1.12.2 upstream release