LXC: Allow openfortivpn client to create a ppp0 interface


(Clueless Technologist) #1

I get the following error when I try to use openfortivpn in my container:

ERROR:  read: Input/output error
INFO:   Cancelling threads...
DEBUG:  Waiting for pppd to exit...
DEBUG:  waitpid: pppd exit status code 4
ERROR:  pppd: Is not setuid-root and the invoking user is not root.
  1. Created a unprivileged container.
  2. Added lxc.cgroup.devices.allow = c 10:200 rwm to .config/lxc/default.conf
  3. Added lxc.mount.entry = /dev/ppp dev/ppp none bind,create=file to container conf file.

What am I missing?


#2

You need to get more information for this error. Try to get verbose debug or something similar. The rest of the messages may not (and I think do not) be helpful, especially the part about pppd and root.

To increase verbosity, see https://github.com/adrienverge/openfortivpn/issuese, /335
That’s about Crostini which uses LXD. But it does not run proper Linux kernel so it is not possible to make it work there.

Have a look at how to get OpenVPN to work with LXD,


It is likely that you need to do something similar.


(Clueless Technologist) #3

It was already verbose logging enabled.
I enabled pppd logging now but this is all I get:

Couldn't open the /dev/ppp device: Permission denied

I tried to enable CAP_NET_ADMIN, but not sure how to enable it. Documentation not clear on this.

lxc config set my-container raw.lxc=lxc.cap.keep=CAP_NET_ADMIN 
error: Bad server config key: 'my-container'

(Stéphane Graber) #4

Your lxc config set is wrong, you should have a space between the raw.lxc and lxc.cap.keep rather than that first = sign.

The being said, it won’t do you any good because we don’t drop CAP_NET_ADMIN, so there’s no point in directly asking lxc to keep it.

The permission denied issue is most likely either because the device wasn’t passed through unix-char and is therefore missing a devices cgroup entry (You should be able to confirm by checking /sys/fs/cgroup/devices/devices.list) or because the ppp kernel module is returning the error.


(Clueless Technologist) #5

cat /sys/fs/cgroup/devices/devices.list

 a *:* rwm

I have added lxc.cgroup.devices.allow = c 108:0 rwm # /dev/ppp to both global and local config.
But/sys/fs/cgroup/devices/devices.list won’t change.


(Stéphane Graber) #6

Okay, so this looks like an unprivileged container in which devices cgroup doesn’t matter which is why it’s got an allow-all rule in place.

So your problem isn’t going to be a pure device permission problem, it’s most likely that the ppp kernel module does its own permission check and looks for the real root user.

I suspect your only workaround at this time would be to switch to a privileged container (set security.privileged=true).


(Clueless Technologist) #7

I created a privileged container.

But I kept getting ERROR: /usr/sbin/pppd: No such file or directory.

So I changed the config to this:

lxc.cgroup.devices.allow = c 108:0 rwm # /dev/ppp
lxc.mount.entry = /usr/sbin/pppd usr/sbin/pppd none bind,create=file
security.privileged=true

But then I get this:

DEBUG:  pppd_read_thread
DEBUG:  ssl_read_thread
DEBUG:  ssl_write_thread
DEBUG:  if_config thread
DEBUG:  pppd_write thread
ERROR:  read: Input/output error
INFO:   Cancelling threads...
DEBUG:  Waiting for pppd to exit...
DEBUG:  waitpid: pppd exit status code 127
ERROR:  pppd: Returned an unknown exit status
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.

#8

You would need to dig into pppd_write and see why it cannot write (and if something can be done about it for an unprivileged container).

Are there any available Fortinet VPN servers in case anyone would like to try and help you out debugging the connection establishment?
For example, for OpenVPN there are several options.


(Andras Dosztal) #9

Do you use Apparmor / SELinux? A misconfigured profile can cause such issues.


(Clueless Technologist) #10

Don’t know I will have to check with my Fortinet collegues.

I’m using Ubuntu 16.04 so I guess Apparmor can cause issues.


(Andras Dosztal) #11

I’m using Ubuntu 16.04 so I guess Apparmor can cause issues.

Check in the logs if some operation was denied. If you can’t find anything, run the VPN client with strace.