Lxc-stop, lxc-start results in inability to use tun0 openvpn client [Solved Ubuntu]

VTChevalier · June 28, 2018, 2:02am

I am on Ubuntu 18.04 LTS, I have configured an unprivileged lxc container and shared /dev/net in my lxc config (for my localuser), anyone have a fix? Or is this a known issue?

/home/lxc/.local/share/lxc/vpn/config:

...
        ## for openvpn
        lxc.mount.entry = /dev/net dev/net none bind,create=dir
        lxc.cgroup.devices.allow = c 10:200 rwm
...

Everything has been great, except if I start/stop my lxc, doing:

lxc-stop vpn
lxc-start vpn

And then my openvpn tun0 won’t initialize.

dmesg:

[  650.862768] audit: type=1400 audit(1530151117.222:65): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/" pid=5425 comm="systemd" fstype="cgroup2" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[  650.862795] audit: type=1400 audit(1530151117.222:66): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/" pid=5425 comm="systemd" fstype="cgroup2" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[  650.893486] audit: type=1400 audit(1530151117.254:67): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=5537 comm="(md-udevd)" flags="rw, rslave"
[  650.895543] audit: type=1400 audit(1530151117.258:68): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/kernel/config/" pid=5540 comm="mount" fstype="configfs" srcname="configfs"
[  650.895547] audit: type=1400 audit(1530151117.258:69): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/kernel/config/" pid=5540 comm="mount" fstype="configfs" srcname="configfs" flags="ro"
[  650.899681] audit: type=1400 audit(1530151117.262:70): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=5550 comm="(networkd)" flags="rw, rslave"
[  650.957649] audit: type=1400 audit(1530151117.318:71): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=5572 comm="(resolved)" flags="rw, rslave"

syslog:

Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '4 4 1 7' to 'kernel/printk', ignoring: Permission denied
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '2' to 'net/ipv6/conf/all/use_tempaddr', ignoring: No such file or directory
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '2' to 'net/ipv6/conf/default/use_tempaddr', ignoring: No such file or directory
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '1' to 'kernel/kptr_restrict', ignoring: Permission denied
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '1' to 'fs/protected_hardlinks', ignoring: Permission denied
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '1' to 'fs/protected_symlinks', ignoring: Permission denied
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '176' to 'kernel/sysrq', ignoring: Permission denied
Jun 28 01:58:37 vpn keyboard-setup.sh[43]: Couldn't get a file descriptor referring to the console
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '1' to 'kernel/yama/ptrace_scope', ignoring: Permission denied
Jun 28 01:58:37 vpn keyboard-setup.sh[43]: Couldn't get a file descriptor referring to the console
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '65536' to 'vm/mmap_min_addr', ignoring: Permission denied
Jun 28 01:58:37 vpn rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.32.0]
Jun 28 01:58:37 vpn rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied.
Jun 28 01:58:37 vpn rsyslogd: activation of module imklog failed [v8.32.0 try http://www.rsyslog.com/e/2145 ]

n8v8r · June 28, 2018, 5:52am

lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file 0 0 works for me.

VTChevalier · June 28, 2018, 10:21pm

Instead of using lxc.mount.entry = /dev/net dev/net none bind,create=dir ?

n8v8r · June 29, 2018, 5:33am

Oh, I see now that it is working with your config except that ovpen is not starting at boot time. Hence not a matter of the LXC config then and there is nothing in those error logs stipuating tun or openvpn failing. Perhaps you should look at the openvpn logs instead.

Had a similar issue with openvpn in a gentoo container and this sorted it

stgraber · July 3, 2018, 6:22pm

On Ubuntu 16.04, I had to override the openvpn systemd unit with this:

[Service]
LimitNPROC=infinity

You can set this with systemctl edit openvpn followed by a systemctl daemon-reload and systemctl restart openvpn.

I don’t know if that’s the issue you’re running into here, but that certainly was a problem in the past with unprivileged containers and openvpn.

VTChevalier · July 6, 2018, 1:18am

You are correct it had to do with my systemd, however, currently, I did not have to add to the openvpn.service:
LimitNPROC=infinity

What I actually discovered was when I enabled the service, it did multiple instances of openvpn.service @service etc and was causing an issue. I removed all of them and went with a basic openvpn.service, rebooted my machine and they started working.

This is ubuntu 18.04 and I did notice some lxc updates recently too so not sure if it’s a combo. I appreciate the responses.