You are seeing this page because you encounter { err: Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" }, context: "open tun" } or CRITIC: /dev/net/tun not pass.
If you get CRITIC: /dev/net/tun not pass, update the image to the latest version. It's caused by a previous (later reverted) fix that requires /dev/net/tun to be passed to the container. The latest image has removed this requirement. If you still get { err: Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" }, context: "open tun" } after updating the image, please follow the instructions below.
On Nov 21, 2024, containerd released version 1.7.24 which updated runc to 1.2.2 and introduced a breaking change that remove tun/tap from the default device rules.
This cause /dev/net/tun cannot be accessed by the container if the device is not explicitly passed, even if the container has created /dev/net/tun by itself.
Thanks @hugoghx for reporting this issue.
To solve this issue, you need to add the removed rule back to the container. For example:
version: "3"
services:
warp:
image: caomingjun/warp
container_name: warp
restart: always
# ===== Add the following 2 lines =====
device_cgroup_rules:
- 'c 10:200 rwm'
# ================ End ================
ports:
- "1080:1080"
environment:
- WARP_SLEEP=2
# - WARP_LICENSE_KEY= # optional
cap_add:
# Docker already have them, these are for podman users
- MKNOD
- AUDIT_WRITE
# additional required cap for warp, both for podman and docker
- NET_ADMIN
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv4.conf.all.src_valid_mark=1
volumes:
- ./data:/var/lib/cloudflare-warpNote
This is a previous (later reverted) solution, which used in image fc0c8c6, 1f75fb6 and 1dab548. Although it solved the problem on most devices, it caused issues on some devices. We have reverted this change.
Warning
This section is only for recording the solution for possible future needs; please do NOT follow this solution!
To solve this issue, you need to pass the /dev/net/tun device to the container. We also recommend you to update the image to the latest version to avoid any other issues.
To pass the device to the container, you need to add devices to service level. For example:
version: "3"
services:
warp:
image: caomingjun/warp
container_name: warp
restart: always
# ===== Add the following 2 lines =====
devices:
- /dev/net/tun:/dev/net/tun
# ================ End ================
ports:
- "1080:1080"
environment:
- WARP_SLEEP=2
# - WARP_LICENSE_KEY= # optional
cap_add:
# Docker already have them, these are for podman users
- MKNOD
- AUDIT_WRITE
# additional required cap for warp, both for podman and docker
- NET_ADMIN
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv4.conf.all.src_valid_mark=1
volumes:
- ./data:/var/lib/cloudflare-warp