docs: add tun-not-permitted to common problems

hallfay · Dec 8, 2024 · 1dab548 · 1dab548
1 parent 06239fc
commit 1dab548
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -103,6 +103,10 @@ The default `GOST_ARGS` is `-L :1080`, which provides HTTP and SOCKS5 proxy. If
 
 You may want to use the proxy from another container and find that you cannot connect to `127.0.0.1:1080` in that container. This is because the `docker-compose.yml` only maps the port to the host, not to other containers. To solve this problem, you can use the service name as the hostname, for example, `warp:1080`. You also need to put the two containers in the same docker network.
 
+### "Operation not permitted" when open tun
+
+Error like `{ err: Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" }, context: "open tun" }` is caused by [a updated of containerd](https://github.com/containerd/containerd/releases/tag/v1.7.24). You need to pass the tun device to the container following the [instruction](docs/tun-not-permitted.md).
+
 ### NFT error on Synology or QNAP NAS
 
 If you are using Synology or QNAP NAS, you may encounter an error like `Failed to run NFT command`. This is because both Synology and QNAP use old iptables, while WARP uses nftables. It can't be easily fixed since nftables need to be added when the kernel is compiled.

diff --git a/docs/README.md b/docs/README.md
@@ -9,3 +9,4 @@ This directory contains advanced usage and configurations of the project. Below
 - [masque.md](masque.md): Describes how to enable MASQUE, WARP's new protocol.
 - [podman.md](podman.md): Provides information to run the container with Podman.
 - [proxy-mode.md](proxy-mode.md): instructions on how to use the container in WARP's proxy mode.
+- [tun-not-permitted.md](tun-not-permitted.md): Explains the error message `{ err: Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" }, context: "open tun" }` and how to resolve it.
diff --git a/docs/tun-not-permitted.md b/docs/tun-not-permitted.md
@@ -1,5 +1,7 @@
 # Solution to open tun operation not permitted
 
+You are seeing this page because you encounter `{ err: Os { code: 1, kind: PermissionDenied, message: "Operation not permitted" }, context: "open tun" }` or `CRITIC: /dev/net/tun not pass`.
+
 ## Problem
 
 On Nov 21, 2024, [containerd](https://github.com/containerd/containerd) released version [1.7.24](https://github.com/containerd/containerd/releases/tag/v1.7.24) which updated [runc](https://github.com/opencontainers/runc) to 1.2.2 and introduced [a breaking change that remove tun/tap from the default device rules](https://github.com/opencontainers/runc/pull/3468).