I am running debian stretch on my host and I try to configure openvpn inside an Ubuntu xenial LXC guest.
Because openvpn needs a tun device, I followed guides such as http://heider.io/blog/2013/10/26/openvpn-in-a-lxc-container/ to allow tun device creation inside the container.
Unfortunately, setting lxc.cgroup.devices.allow = c 10:200 rwm in the container's config file gives me this error:
lxc-start ERROR lxc_cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits:1949 - No such file or directory - Error setting devices.allow to c 10:200 rwm for ubuntu
lxc-start ERROR lxc_start - start.c:lxc_spawn:1236 - Failed to setup the devices cgroup for container "ubuntu".
lxc-start ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "ubuntu".
Edit
I am trying to achieve this in an unpriviledged LXC container, here is the full configuration of this container:
# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/myuser/.local/share/lxc/ubuntu/rootfs
lxc.rootfs.backend = dir
lxc.utsname = ubuntu
# Network configuration
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.hwaddr = 00:11:22:aa:bb:cc
lxc.network.ipv4 = 192.168.1.101/24
lxc.network.ipv4.gateway = 192.168.1.1
# trying to get /dev/net/tun inside container
lxc.cgroup.devices.allow = c 10:200 rwm
When I do not set the devices.allow option in order to be able to start the container, I can see processes inside the container are in the cgroup
/sys/fs/cgroup/devices/user.slice (their PID, viewed from outside the container, are actually in the cgroup.procs file of this subdirectory), and from here :
$ cat devices.list
a *:* rwm
but from inside the container
# mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: Operation not permitted