@tomp @stgraber
If you use LXD and have installed the Mullvad VPN you may find that you can no longer launch and start an LXD container.
Mullvad VPN’s installation mounts “net_cls” cgroup1 over cgroup2 which is the root of the problem.
To check if net_cls cgroup1 is mounted over cgroup2 run:
$ mount | grep net_cls
which if net_cls cgroup is shown as below:
$ cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec, relatime 0 0
$ net_cls /sys/fs/cgroup/net_cls cgroup rw,relatime,net_cls 0 0
and you are unable to create & start a new LXD container you will need to mount
net_cls somewhere else (literally anywhere else).
The Mullvad Bug ID is:
net_cls interfering with lxd · Issue #3651 · mullvad/mullvadvpn-app · GitHub
So as an example lets create a mount point /opt/net-cls-v1 (you can use any directory path & name you want):
$ sudo mkdir -p /opt/net-cls-v1
$ sudo mount -t cgroup -o net_cls net_cls /opt/net-cls-v1
$ sudo chown -R root:root /opt/net-cls-v1
After mounting net_cls on /opt/net-cls-v1
Run the command:
$ grep cgroup /proc/mounts
Now you should see “net_cls” mounted on /opt/net-cls-v1
cgroup2 /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime 0 0
net_cls /opt/net-cls-v1 cgroup rw,relatime,net_cls 0 0
Edit the Mullvad systemd unit file and make this new Mount point for “net_cls” permanent (re survive reboots):
NOTE: this requires adding "Environment=“TALPID_NET_CLS_MOUNT_DIR=/opt/net-cls-v1/”
as a new Unit “Service” (see below)…
$ cd /lib/systemd/system
$ sudo nano ./mullvad-daemon.service
Change the file Mullvad Unit file “mullvad-daemon.service” FROM:
# Systemd service unit file for the Mullvad VPN daemon
# testing if new changes are added
[Unit]
Description=Mullvad VPN daemon
Before=network-online.target
After=mullvad-early-boot-blocking.service NetworkManager.service systemd-resolved.service
StartLimitBurst=5
StartLimitIntervalSec=20
RequiresMountsFor=/opt/Mullvad\x20VPN/resources/
[Service]
Restart=always
RestartSec=1
ExecStart=/usr/bin/mullvad-daemon -v --disable-stdout-timestamps
Environment="MULLVAD_RESOURCE_DIR=/opt/Mullvad VPN/resources/"
[Install]
WantedBy=multi-user.target
To THIS:
# Systemd service unit file for the Mullvad VPN daemon
# testing if new changes are added
[Unit]
Description=Mullvad VPN daemon
Before=network-online.target
After=mullvad-early-boot-blocking.service NetworkManager.service systemd-resolved.service
StartLimitBurst=5
StartLimitIntervalSec=20
RequiresMountsFor=/opt/Mullvad\x20VPN/resources/
[Service]
Restart=always
RestartSec=1
ExecStart=/usr/bin/mullvad-daemon -v --disable-stdout-timestamps
Environment="MULLVAD_RESOURCE_DIR=/opt/Mullvad VPN/resources/"
Environment="TALPID_NET_CLS_MOUNT_DIR=/opt/net-cls-v1/"
[Install]
WantedBy=multi-user.target
Finally, restart Mullvad’s daemon so it mounts net_cls on - /opt/net-cls-v1
$ sudo systemctl restart mullvad-daemon
And verify that net_cls is now mounted on /opt/net-cls-v1
$ mount | grep net_cls
net_cls on /opt/net-cls-v1 type cgroup (rw,relatime,net_cls)
Now test by launching a new LXD container and you should see something like:
$ lxc launch ubuntu:22.04 cn1
Creating cn1
Starting cn1$ lxc ls
should now should your new CN1 container created and started properly.
And these changes will survive a reboot!