error: host vs container / private vs shared / tun/tap vs ethertap about tinc HOT 5 CLOSED

log shows apparent problem:

ioctl(3, TUNSETIFF, 0x7fffb3906320)     = -1 EPERM (Operation not permitted)
ioctl(3, _IOC(0, 0x54, 0xca, 0), 0x7fffb3906320) = -1 EBADFD (File descriptor in bad state)

and the workaround is

systemd-nspawn ... --capability=CAP_NET_ADMIN

which is also cofirmed by
https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html

--capability=
   ... Also CAP_NET_ADMIN is retained if --private-network is specified. ...

then these requests remain:
A) can tinc work with less capabilities then CAP_NET_ADMIN?
B) please report Operation not permitted instead of File descriptor in bad state?

from tinc.

attached is log from

# strace tincd -D -d 3 -n mail &> tinc.log

tinc.log.zip

from tinc.

A) CAP_NET_ADMIN is necessary to create a tun or tap device:
https://github.com/torvalds/linux/blob/master/Documentation/networking/tuntap.txt#L44
Other device types might work well without CAP_NET_ADMIN.

from tinc.

Tinc can work without CAP_NET_ADMIN. In fact, it can even be started as a non-root user, even with a tun device: one needs to set up a persistent tun device beforehand, and ensure the non-root user has permissions to use it. To do this, use the following command:

ip tuntap add dev $NETNAME mode tun user $USER

Where you have to fill in $NETNAME and $USER yourself of course. You also have to configure the tun/tap interface before you start tinc, since if it doesn't have CAP_NET_ADMIN, the tinc-up script will most likely fail too.

from tinc.

thank you

from tinc.