nspawn: ignore failure in creating /dev/net/tun when --private-network is unspecified

Follow-up for efedb6b0f3cff37950112fd37cb750c16d599bc7. Closes #35116. (cherry picked from commit 985ea98e7f90c92fcc0b8441fafb190353d2feb8) Really rewritten from scratch. (cherry picked from commit 04ee5e25a1082d4c6c0c52a154d5ad5fc959a853) (cherry picked from commit 45b39f98c9abfcf305641d697392aacbf5e022d0) (cherry picked from commit c25b73f93b369861259244e5a8c55cf82d97adb8) (cherry picked from commit 2ba27c38fe13000d94cad41f24bb0023c0fb35e7)
2025-03-12 08:58:20 +03:00 · 2024-11-13 13:36:11 +09:00 · 2024-11-13 13:36:11 +09:00 · 55d4bf4a17
commit 55d4bf4a17
parent a1861869f5
1 changed files with 19 additions and 3 deletions
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@ -2240,6 +2240,7 @@ static int copy_devnodes(const char *dest) {
        NULSTR_FOREACH(d, devnodes) {
                _cleanup_free_ char *from = NULL, *to = NULL;
                struct stat st;
+                bool ignore_mknod_failure = streq(d, "net/tun");

                from = path_join("/dev/", d);
                if (!from)
@ -2264,16 +2265,31 @@ static int copy_devnodes(const char *dest) {
                                /* Explicitly warn the user when /dev is already populated. */
                                if (errno == EEXIST)
                                        log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest);
-                                if (errno != EPERM || arg_uid_shift != 0)
+                                if (errno != EPERM || arg_uid_shift != 0) {
+                                        if (ignore_mknod_failure) {
+                                                log_debug_errno(r, "mknod(%s) failed, ignoring: %m", to);
+                                                return 0;
+                                        }
                                        return log_error_errno(errno, "mknod(%s) failed: %m", to);
+                                }

                                /* Some systems abusively restrict mknod but allow bind mounts. */
                                r = touch(to);
-                                if (r < 0)
+                                if (r < 0) {
+                                        if (ignore_mknod_failure) {
+                                                log_debug_errno(r, "touch (%s) failed, ignoring: %m", to);
+                                                return 0;
+                                        }
                                        return log_error_errno(r, "touch (%s) failed: %m", to);
+                                }
                                r = mount_nofollow_verbose(LOG_DEBUG, from, to, NULL, MS_BIND, NULL);
-                                if (r < 0)
+                                if (r < 0) {
+                                        if (ignore_mknod_failure) {
+                                                log_debug_errno(r, "Both mknod and bind mount (%s) failed, ignoring: %m", to);
+                                                return 0;
+                                        }
                                        return log_error_errno(r, "Both mknod and bind mount (%s) failed: %m", to);
+                                }
                        } else {
                                r = userns_lchown(to, 0, 0);
                                if (r < 0)