I get the following error when I try to use openfortivpn in my container:
ERROR: read: Input/output error
INFO: Cancelling threads...
DEBUG: Waiting for pppd to exit...
DEBUG: waitpid: pppd exit status code 4
ERROR: pppd: Is not setuid-root and the invoking user is not root.
Created a unprivileged container.
Added lxc.cgroup.devices.allow = c 10:200 rwm to .config/lxc/default.conf
You need to get more information for this error. Try to get verbose debug or something similar. The rest of the messages may not (and I think do not) be helpful, especially the part about pppd and root.
To increase verbosity, see https://github.com/adrienverge/openfortivpn/issuese, /335
That’s about Crostini which uses LXD. But it does not run proper Linux kernel so it is not possible to make it work there.
Have a look at how to get OpenVPN to work with LXD,
It is likely that you need to do something similar.
Your lxc config set is wrong, you should have a space between the raw.lxc and lxc.cap.keep rather than that first = sign.
The being said, it won’t do you any good because we don’t drop CAP_NET_ADMIN, so there’s no point in directly asking lxc to keep it.
The permission denied issue is most likely either because the device wasn’t passed through unix-char and is therefore missing a devices cgroup entry (You should be able to confirm by checking /sys/fs/cgroup/devices/devices.list) or because the ppp kernel module is returning the error.
Okay, so this looks like an unprivileged container in which devices cgroup doesn’t matter which is why it’s got an allow-all rule in place.
So your problem isn’t going to be a pure device permission problem, it’s most likely that the ppp kernel module does its own permission check and looks for the real root user.
I suspect your only workaround at this time would be to switch to a privileged container (set security.privileged=true).
You would need to dig into pppd_write and see why it cannot write (and if something can be done about it for an unprivileged container).
Are there any available Fortinet VPN servers in case anyone would like to try and help you out debugging the connection establishment?
For example, for OpenVPN there are several options.
I realize this is an old post, /me posting a reply here because I ran into this and have it working.
I had a similar issue around (pppd: Is not setuid-root). Previously I sshed into the lxc container and then did sudo. That, didn’t work. What did work was, in the host, to sudo su and then lxc-attach -n [container_name]. That way, I was root on the host and then was root in the container. Starting openfortivpn then succeeded.
I don’t understand the difference there. If someone else explains that’ll be cool :-). Just posting here since that works for me and might help others in future.