Docker-compose seems to be ignoring cap_add: NET_ADMIN

wellinger · August 27, 2019, 9:01pm

Hi all
I have a docker-compose.yaml file which starts like below, its purpose is to connect to a VPN so that other containers can connect though it.

version: '2'

services:

  vpn:
    container_name: vpn
    image: bubuntux/nordvpn
    restart: always

    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      - USER=emailaddress
      - PASS=username
      - COUNTRY=United_Kingdom
      - PROTOCOL=UDP
      - NETWORK=192.168.0.0/24
      - OPENVPN_OPTS=--pull-filter ignore "ping-restart" --ping-exit 180
      - TZ=Europe/London
    network_mode: bridge

Now when running this i am presented with this error:

Error response from daemon: linux runtime spec devices: error gathering device information while adding custom device "/dev/net/tun": no such file or directory

When running the container in privlaged mode it works however I would like to avoid that.

Is anyone aware of a reason whereby the cap_add net_admin woudl be ignored?

aerdanielbryars101 · August 27, 2020, 3:11pm

Hi Wellinger,

I’ve just had something similar and found that you also need to be running as (root) user id 0 and have net_admin.

Bit late, but it might help someone who has the same problem.

adriancossu · September 21, 2020, 9:50pm

I’m having the same issue while using docker-compose inside Portainer. Is there a way I can check to ensure that portainer is running as root?