I am on Ubuntu 18.04 LTS, I have configured an unprivileged lxc container and shared /dev/net in my lxc config (for my localuser), anyone have a fix? Or is this a known issue?
/home/lxc/.local/share/lxc/vpn/config:
...
## for openvpn
lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.cgroup.devices.allow = c 10:200 rwm
...
Everything has been great, except if I start/stop my lxc, doing:
lxc-stop vpn
lxc-start vpn
And then my openvpn tun0 won’t initialize.
dmesg:
[ 650.862768] audit: type=1400 audit(1530151117.222:65): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/" pid=5425 comm="systemd" fstype="cgroup2" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[ 650.862795] audit: type=1400 audit(1530151117.222:66): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/fs/cgroup/unified/" pid=5425 comm="systemd" fstype="cgroup2" srcname="cgroup" flags="rw, nosuid, nodev, noexec"
[ 650.893486] audit: type=1400 audit(1530151117.254:67): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=5537 comm="(md-udevd)" flags="rw, rslave"
[ 650.895543] audit: type=1400 audit(1530151117.258:68): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/kernel/config/" pid=5540 comm="mount" fstype="configfs" srcname="configfs"
[ 650.895547] audit: type=1400 audit(1530151117.258:69): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default-cgns" name="/sys/kernel/config/" pid=5540 comm="mount" fstype="configfs" srcname="configfs" flags="ro"
[ 650.899681] audit: type=1400 audit(1530151117.262:70): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=5550 comm="(networkd)" flags="rw, rslave"
[ 650.957649] audit: type=1400 audit(1530151117.318:71): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=5572 comm="(resolved)" flags="rw, rslave"
syslog:
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '4 4 1 7' to 'kernel/printk', ignoring: Permission denied
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '2' to 'net/ipv6/conf/all/use_tempaddr', ignoring: No such file or directory
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '2' to 'net/ipv6/conf/default/use_tempaddr', ignoring: No such file or directory
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '1' to 'kernel/kptr_restrict', ignoring: Permission denied
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '1' to 'fs/protected_hardlinks', ignoring: Permission denied
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '1' to 'fs/protected_symlinks', ignoring: Permission denied
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '176' to 'kernel/sysrq', ignoring: Permission denied
Jun 28 01:58:37 vpn keyboard-setup.sh[43]: Couldn't get a file descriptor referring to the console
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '1' to 'kernel/yama/ptrace_scope', ignoring: Permission denied
Jun 28 01:58:37 vpn keyboard-setup.sh[43]: Couldn't get a file descriptor referring to the console
Jun 28 01:58:37 vpn systemd-sysctl[48]: Couldn't write '65536' to 'vm/mmap_min_addr', ignoring: Permission denied
Jun 28 01:58:37 vpn rsyslogd: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd. [v8.32.0]
Jun 28 01:58:37 vpn rsyslogd: imklog: cannot open kernel log (/proc/kmsg): Permission denied.
Jun 28 01:58:37 vpn rsyslogd: activation of module imklog failed [v8.32.0 try http://www.rsyslog.com/e/2145 ]