Tunnel network interface inside ubuntu docker

I am trying to build container running juniper VPN client. My environment is Ubuntu 14.04. I am using the msjnc(http://mad-scientist.us/juniper.html). The problem I experienced is once msjnc launched, it should bring up a tunnel interface - tun0. Inside docker, such interface never get created. I manually create the /dev/net/tun with mknod /dev/net/tun c 10 200 and result is the same. Did I miss anything or such configuration is not supported inside docker?



root@griffinv1:~# docker inspect 914ad45696b4
“Args”: [
“Config”: {
“AttachStderr”: false,
“AttachStdin”: false,
“AttachStdout”: false,
“Cmd”: [
“CpuShares”: 0,
“Cpuset”: “”,
“Domainname”: “”,
“Entrypoint”: null,
“Env”: [
“ExposedPorts”: {
“22/tcp”: {}
“Hostname”: “914ad45696b4”,
“Image”: “docker-desktop”,
“Memory”: 0,
“MemorySwap”: 0,
“NetworkDisabled”: false,
“OnBuild”: null,
“OpenStdin”: false,
“PortSpecs”: null,
“StdinOnce”: false,
“Tty”: false,
“User”: “”,
“Volumes”: null,
“WorkingDir”: “”
“Created”: “2014-08-26T02:11:33.97198952Z”,
“Driver”: “aufs”,
“ExecDriver”: “native-0.2”,
“HostConfig”: {
“Binds”: null,
“CapAdd”: null,
“CapDrop”: null,
“ContainerIDFile”: “”,
“Devices”: null,
“Dns”: null,
“DnsSearch”: null,
“Links”: null,
“LxcConf”: [],
“NetworkMode”: “bridge”,
“PortBindings”: {},
“Privileged”: true,
“PublishAllPorts”: true,
“RestartPolicy”: {
“MaximumRetryCount”: 0,
“Name”: “”
“VolumesFrom”: null
“HostnamePath”: “/var/lib/docker/containers/914ad45696b41dc8a6111c8388c1cc195fbf87d477a60ac1cff4dd0c33c1b965/hostname”,
“HostsPath”: “/var/lib/docker/containers/914ad45696b41dc8a6111c8388c1cc195fbf87d477a60ac1cff4dd0c33c1b965/hosts”,
“Id”: “914ad45696b41dc8a6111c8388c1cc195fbf87d477a60ac1cff4dd0c33c1b965”,
“Image”: “27c34ce235c4ee20c6301e3150221a879be0fab2d614e76f508a25d4a04205d8”,
“MountLabel”: “”,
“Name”: “/silly_kowalevski”,
“NetworkSettings”: {
“Bridge”: “”,
“Gateway”: “”,
“IPAddress”: “”,
“IPPrefixLen”: 0,
“PortMapping”: null,
“Ports”: null
“Path”: “/bin/bash”,
“ProcessLabel”: “”,
“ResolvConfPath”: “/etc/resolv.conf”,
“State”: {
“ExitCode”: 0,
“FinishedAt”: “2014-08-27T19:32:39.099818528Z”,
“Paused”: false,
“Pid”: 0,
“Restarting”: false,
“Running”: false,
“StartedAt”: “2014-08-27T17:10:40.749519851Z”
“Volumes”: {},
“VolumesRW”: {}

last time I looked, you could not mknod during a docker build.

you may need to use the --privileged flag on your docker run - or perhaps create the device on the host, and then use

--device=[] Add a host device to the container (e.g. --device=/dev/sdc:/dev/xvdc)

Hi Sven,

Thanks for your reply! I use the “–device” and "–privileged=true to create the container and still can’t launch the VPN tunnel.

I enabled the verbose log and compare the output within and outside of docker container. When I run outside of container, one VPN component “ncsvc” is owned by root with SUID/SGID and log file it generated is also owned by root. When I launch VPN inside docker container, “ncsvc” is still owned by root with SUID/SGID, but log file it generated is owned by regular user. I think this is the key. If SUID program can’t run as root inside container, it can’t bring up the additional VPN tunnel interface. It seems I am hitting the dead end now.:->