nspawn: ignore failure in creating /dev/net/tun when --private-network is unspecified

yuwata · bluca · commit 55d4bf4a17ce · 2024-11-16T18:30:43.000Z
Follow-up for efedb6b. Closes #35116. (cherry picked from commit 985ea98) Really rewritten from scratch. (cherry picked from commit 04ee5e2) (cherry picked from commit 45b39f9) (cherry picked from commit c25b73f) (cherry picked from commit 2ba27c3)
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
@@ -2240,6 +2240,7 @@ static int copy_devnodes(const char *dest) {
         NULSTR_FOREACH(d, devnodes) {
                 _cleanup_free_ char *from = NULL, *to = NULL;
                 struct stat st;
+                bool ignore_mknod_failure = streq(d, "net/tun");
 
                 from = path_join("/dev/", d);
                 if (!from)
@@ -2264,16 +2265,31 @@ static int copy_devnodes(const char *dest) {
                                 /* Explicitly warn the user when /dev is already populated. */
                                 if (errno == EEXIST)
                                         log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest);
-                                if (errno != EPERM || arg_uid_shift != 0)
+                                if (errno != EPERM || arg_uid_shift != 0) {
+                                        if (ignore_mknod_failure) {
+                                                log_debug_errno(r, "mknod(%s) failed, ignoring: %m", to);
+                                                return 0;
+                                        }
                                         return log_error_errno(errno, "mknod(%s) failed: %m", to);
+                                }
 
                                 /* Some systems abusively restrict mknod but allow bind mounts. */
                                 r = touch(to);
-                                if (r < 0)
+                                if (r < 0) {
+                                        if (ignore_mknod_failure) {
+                                                log_debug_errno(r, "touch (%s) failed, ignoring: %m", to);
+                                                return 0;
+                                        }
                                         return log_error_errno(r, "touch (%s) failed: %m", to);
+                                }
                                 r = mount_nofollow_verbose(LOG_DEBUG, from, to, NULL, MS_BIND, NULL);
-                                if (r < 0)
+                                if (r < 0) {
+                                        if (ignore_mknod_failure) {
+                                                log_debug_errno(r, "Both mknod and bind mount (%s) failed, ignoring: %m", to);
+                                                return 0;
+                                        }
                                         return log_error_errno(r, "Both mknod and bind mount (%s) failed: %m", to);
+                                }
                         } else {
                                 r = userns_lchown(to, 0, 0);
                                 if (r < 0)
