No /dev/net/tun inside LXC container

tetech · July 5, 2020, 12:17pm

My problem is the same as the one here, except I’m using a privileged container and the solution doesn’t work for me:

Quick recap:

lxc.cgroup.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

Gives:

host:/# lsmod | grep tun
tun                    40960  2
host:/# ls -al /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Jul  3 07:03 /dev/net/tun
host:/# lxc-start -n ovpn1
host:/# lxc-attach -n ovpn1
ovpn1:/# ls -l /dev/net
ls: /dev/net: No such file or directory
ovpn1:/# mkdir /dev/net
ovpn1:/# mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: Operation not permitted

Is there something obvious I’m doing wrong? Any and all help appreciated! Thanks.

stgraber · July 5, 2020, 3:26pm

Can you show cat /proc/self/mountinfo from inside the container?

tetech · July 5, 2020, 3:37pm

Sure!

ovpn1:/# cat /proc/self/mountinfo
150 88 0:36 /ovpn1/rootfs / rw,noatime - btrfs /dev/mapper/crypt-root rw,compress=lzo,space_cache,autodefrag,subvolid=267,subvol=/ovpn1/rootfs
151 150 0:62 / /dev rw,relatime - tmpfs none rw,size=492k,mode=755,uid=100000,gid=100000
152 150 0:61 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
169 170 0:61 /sys/net /proc/sys/net rw,nosuid,nodev,noexec,relatime - proc proc rw
170 152 0:61 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
171 152 0:61 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
172 150 0:63 / /sys rw,relatime - sysfs sysfs rw
173 151 0:6 /full /dev/full rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189513,mode=755
174 151 0:6 /null /dev/null rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189513,mode=755
175 151 0:6 /random /dev/random rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189513,mode=755
176 151 0:6 /tty /dev/tty rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189513,mode=755
177 151 0:6 /urandom /dev/urandom rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189513,mode=755
178 151 0:6 /zero /dev/zero rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189513,mode=755
179 151 0:18 /3 /dev/console rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=000
89 151 0:64 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
90 151 0:64 /ptmx /dev/ptmx rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
91 151 0:64 /0 /dev/tty1 rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
92 151 0:64 /1 /dev/tty2 rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
93 151 0:64 /2 /dev/tty3 rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
94 151 0:64 /3 /dev/tty4 rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
129 150 0:74 / /run rw,nodev,relatime - tmpfs tmpfs rw,size=153232k,mode=755,uid=100000,gid=100000

stgraber · July 5, 2020, 3:53pm

What version of LXC are you using?

tetech · July 5, 2020, 3:55pm

The one in the Alpine distro.

host:/# apk info lxc
lxc-3.1.0-r3 description:
Userspace interface for the Linux kernel containment features

stgraber · July 5, 2020, 4:01pm

This is an unsupported version of LXC. Looks line Alpine has LXC 4.0.x, please upgrade to that and try again, with a bit of luck, this is an issue which has already been resolved.

tetech · July 5, 2020, 4:16pm

Thanks for the suggestion! Unfortunately, same problem after upgrading:

host:~# apk info lxc
lxc-4.0.2-r0 description:
Userspace interface for the Linux kernel containment features

lxc-4.0.2-r0 webpage:
https://linuxcontainers.org/lxc/

lxc-4.0.2-r0 installed size:
1347584

host:~# lsmod | grep tun
tun                    40960  2
host:~# ls -al /dev/net/tun
crw-rw-rw- 1 root root 10, 200 Jul  5 11:07 /dev/net/tun
host:~# lxc-start -n ovpn1
host:~# lxc-attach -n ovpn1
ovpn1:~# ls -l /dev/net
ls: /dev/net: No such file or directory
ovpn1:~# mkdir /dev/net
ovpn1:~# mknod /dev/net/tun c 10 200
mknod: /dev/net/tun: Operation not permitted
ovpn1:~# cat /proc/self/mountinfo
155 51 0:36 /ovpn1/rootfs / rw,noatime - btrfs /dev/mapper/crypt-root rw,compress=lzo,space_cache,autodefrag,subvolid=267,subvol=/ovpn1/rootfs
156 155 0:51 / /dev rw,relatime - tmpfs none rw,size=492k,mode=755,uid=100000,gid=100000
157 155 0:50 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
176 177 0:50 /sys/net /proc/sys/net rw,nosuid,nodev,noexec,relatime - proc proc rw
177 157 0:50 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
178 157 0:50 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
179 155 0:52 / /sys rw,relatime - sysfs sysfs rw
180 156 0:50 / /dev/.lxc/proc rw,relatime - proc proc rw
181 156 0:52 / /dev/.lxc/sys rw,relatime - sysfs sys rw
182 156 0:6 /full /dev/full rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189453,mode=755
183 156 0:6 /null /dev/null rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189453,mode=755
184 156 0:6 /random /dev/random rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189453,mode=755
185 156 0:6 /tty /dev/tty rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189453,mode=755
186 156 0:6 /urandom /dev/urandom rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189453,mode=755
187 156 0:6 /zero /dev/zero rw,nosuid,relatime - devtmpfs devtmpfs rw,size=2048k,nr_inodes=189453,mode=755
188 156 0:18 /1 /dev/console rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=000
52 177 0:51 /.lxc-boot-id /proc/sys/kernel/random/boot_id ro,nosuid,nodev,noexec,relatime - tmpfs none rw,size=492k,mode=755,uid=100000,gid=100000
53 156 0:53 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
54 156 0:53 /ptmx /dev/ptmx rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
55 156 0:53 /0 /dev/tty1 rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
56 156 0:53 /1 /dev/tty2 rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
57 156 0:53 /2 /dev/tty3 rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
58 156 0:53 /3 /dev/tty4 rw,nosuid,noexec,relatime - devpts devpts rw,gid=100005,mode=620,ptmxmode=666,max=1024
91 155 0:62 / /run rw,nodev,relatime - tmpfs tmpfs rw,size=153232k,mode=755,uid=100000,gid=100000

stgraber · July 5, 2020, 5:06pm

Can you show the full config for the container?

You may also want to start it with lxc-start -o trace -l trace -n NAME and then paste the content of the trace file.

tetech · July 5, 2020, 5:25pm

Here’s the config:

# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.include = /usr/share/lxc/config/userns.conf
lxc.arch = linux64

# Container specific configuration
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:aa:bb:cc
lxc.net.1.type = veth
lxc.net.1.link = trbr0
lxc.net.1.flags = up
lxc.net.1.hwaddr = 00:16:3e:ff:ee:dd
lxc.apparmor.profile = unconfined
lxc.apparmor.allow_nesting = 1
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
lxc.start.auto = 1
lxc.rootfs.path = dir:/var/lib/lxc/ovpn1/rootfs
lxc.uts.name = ovpn1

lxc.environment = LANG=en_US.utf8

lxc.cgroup.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

Let me know if the files in /usr/share/lxc/config would be helpful, but I haven’t changed them. And here’s the trace file:

lxc-start ovpn1 20200705171148.715 INFO     confile - confile.c:set_config_idmaps:2008 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start ovpn1 20200705171148.716 INFO     confile - confile.c:set_config_idmaps:2008 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start ovpn1 20200705171148.716 TRACE    commands - commands.c:lxc_cmd_rsp_recv:123 - Command "get_init_pid" received response
lxc-start ovpn1 20200705171148.716 DEBUG    commands - commands.c:lxc_cmd_rsp_recv:156 - Response data length for command "get_init_pid" is 0
lxc-start ovpn1 20200705171148.716 TRACE    commands - commands.c:lxc_cmd:293 - Opened new command socket connection fd 4 for command "get_init_pid"
lxc-start ovpn1 20200705171148.716 TRACE    commands - commands.c:lxc_cmd_rsp_recv:123 - Command "get_state" received response
lxc-start ovpn1 20200705171148.716 DEBUG    commands - commands.c:lxc_cmd_rsp_recv:156 - Response data length for command "get_state" is 0
lxc-start ovpn1 20200705171148.716 TRACE    commands - commands.c:lxc_cmd:293 - Opened new command socket connection fd 4 for command "get_state"
lxc-start ovpn1 20200705171148.716 DEBUG    commands - commands.c:lxc_cmd_get_state:656 - Container "ovpn1" is in "RUNNING" state
lxc-start ovpn1 20200705171148.716 ERROR    lxc_start - tools/lxc_start.c:main:258 - Container is already running
lxc-start ovpn1 20200705171158.665 INFO     confile - confile.c:set_config_idmaps:2008 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-start ovpn1 20200705171158.666 INFO     confile - confile.c:set_config_idmaps:2008 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-start ovpn1 20200705171158.669 TRACE    commands - commands.c:lxc_cmd:285 - Connection refused - Command "get_init_pid" failed to connect command socket
lxc-start ovpn1 20200705171158.670 TRACE    commands - commands.c:lxc_cmd:285 - Connection refused - Command "get_state" failed to connect command socket
lxc-start ovpn1 20200705171158.670 TRACE    start - start.c:lxc_init_handler:701 - Created anonymous pair {4,5} of unix sockets
lxc-start ovpn1 20200705171158.671 TRACE    commands - commands.c:lxc_cmd_init:1582 - Created abstract unix socket "/var/lib/lxc/ovpn1/command"
lxc-start ovpn1 20200705171158.671 TRACE    start - start.c:lxc_init_handler:714 - Unix domain socket 6 for command server is ready
lxc-start ovpn1 20200705171158.675 WARN     initutils - initutils.c:setproctitle:314 - Invalid argument - Failed to set cmdline
lxc-start ovpn1 20200705171158.675 INFO     lxccontainer - lxccontainer.c:do_lxcapi_start:970 - Failed to set process title to [lxc monitor] /var/lib/lxc ovpn1
lxc-start ovpn1 20200705171158.679 DEBUG    lxccontainer - lxccontainer.c:wait_on_daemonized_start:830 - First child 14666 exited
lxc-start ovpn1 20200705171158.682 TRACE    start - start.c:lxc_start:2068 - Doing lxc_start
lxc-start ovpn1 20200705171158.682 INFO     lsm - lsm/lsm.c:lsm_init:29 - LSM security driver nop
lxc-start ovpn1 20200705171158.683 TRACE    start - start.c:lxc_init:738 - Initialized LSM
lxc-start ovpn1 20200705171158.683 TRACE    start - start.c:lxc_serve_state_clients:427 - Set container state to STARTING
lxc-start ovpn1 20200705171158.683 TRACE    start - start.c:lxc_serve_state_clients:430 - No state clients registered
lxc-start ovpn1 20200705171158.684 TRACE    start - start.c:lxc_init:744 - Set container state to "STARTING"
lxc-start ovpn1 20200705171158.684 TRACE    start - start.c:lxc_init:800 - Set environment variables
lxc-start ovpn1 20200705171158.685 TRACE    start - start.c:lxc_init:805 - Ran pre-start hooks
lxc-start ovpn1 20200705171158.685 TRACE    start - start.c:setup_signal_fd:320 - Created signal file descriptor 8
lxc-start ovpn1 20200705171158.685 TRACE    start - start.c:lxc_init:814 - Set up signal fd
lxc-start ovpn1 20200705171158.687 DEBUG    terminal - terminal.c:lxc_terminal_peer_default:655 - No such device - The process does not have a controlling terminal
lxc-start ovpn1 20200705171158.688 TRACE    start - start.c:lxc_init:822 - Created console
lxc-start ovpn1 20200705171158.688 TRACE    terminal - terminal.c:lxc_terminal_map_ids:1176 - Chowned terminal "/dev/pts/1"
lxc-start ovpn1 20200705171158.688 TRACE    start - start.c:lxc_init:829 - Chowned console
lxc-start ovpn1 20200705171158.690 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:939 - basecginfo is:
lxc-start ovpn1 20200705171158.690 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:940 - 12:name=systemd:/
11:pids:/
10:net_prio:/
9:net_cls:/
8:freezer:/
7:devices:/
6:memory:/
5:blkio:/
4:cpuacct:/
3:cpu:/
2:cpuset:/
1:name=openrc:/
0::/

lxc-start ovpn1 20200705171158.691 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 0: pids
lxc-start ovpn1 20200705171158.691 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 1: net_prio
lxc-start ovpn1 20200705171158.691 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 2: net_cls
lxc-start ovpn1 20200705171158.691 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 3: freezer
lxc-start ovpn1 20200705171158.691 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 4: devices
lxc-start ovpn1 20200705171158.691 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 5: memory
lxc-start ovpn1 20200705171158.692 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 6: blkio
lxc-start ovpn1 20200705171158.692 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 7: cpuacct
lxc-start ovpn1 20200705171158.692 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 8: cpu
lxc-start ovpn1 20200705171158.692 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 9: cpuset
lxc-start ovpn1 20200705171158.693 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:943 - kernel subsystem 10: cgroup2
lxc-start ovpn1 20200705171158.693 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:946 - named subsystem 0: name=systemd
lxc-start ovpn1 20200705171158.693 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_basecg_debuginfo:946 - named subsystem 1: name=openrc
lxc-start ovpn1 20200705171158.695 TRACE    cgfsng - cgroups/cgfsng.c:cg_hybrid_init:3136 - No controllers are enabled for delegation in the unified hierarchy
lxc-start ovpn1 20200705171158.698 TRACE    cgfsng - cgroups/cgfsng.c:cg_hybrid_init:3155 - Writable cgroup hierarchies:
lxc-start ovpn1 20200705171158.699 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:920 -   Hierarchies:
lxc-start ovpn1 20200705171158.699 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   0: base_cgroup: /
lxc-start ovpn1 20200705171158.699 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/openrc
lxc-start ovpn1 20200705171158.699 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.699 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: name=openrc
lxc-start ovpn1 20200705171158.699 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   1: base_cgroup: /
lxc-start ovpn1 20200705171158.700 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/unified
lxc-start ovpn1 20200705171158.700 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.700 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   2: base_cgroup: /
lxc-start ovpn1 20200705171158.700 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/cpuset
lxc-start ovpn1 20200705171158.700 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.701 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: cpuset
lxc-start ovpn1 20200705171158.701 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   3: base_cgroup: /
lxc-start ovpn1 20200705171158.701 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/cpu
lxc-start ovpn1 20200705171158.701 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.702 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: cpu
lxc-start ovpn1 20200705171158.702 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   4: base_cgroup: /
lxc-start ovpn1 20200705171158.702 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/cpuacct
lxc-start ovpn1 20200705171158.702 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.702 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: cpuacct
lxc-start ovpn1 20200705171158.703 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   5: base_cgroup: /
lxc-start ovpn1 20200705171158.703 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/blkio
lxc-start ovpn1 20200705171158.703 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.703 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: blkio
lxc-start ovpn1 20200705171158.703 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   6: base_cgroup: /
lxc-start ovpn1 20200705171158.703 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/memory
lxc-start ovpn1 20200705171158.703 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.704 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: memory
lxc-start ovpn1 20200705171158.704 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   7: base_cgroup: /
lxc-start ovpn1 20200705171158.704 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/devices
lxc-start ovpn1 20200705171158.704 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.704 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: devices
lxc-start ovpn1 20200705171158.705 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   8: base_cgroup: /
lxc-start ovpn1 20200705171158.705 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/freezer
lxc-start ovpn1 20200705171158.705 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.705 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: freezer
lxc-start ovpn1 20200705171158.705 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   9: base_cgroup: /
lxc-start ovpn1 20200705171158.706 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/net_cls
lxc-start ovpn1 20200705171158.706 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.706 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: net_cls
lxc-start ovpn1 20200705171158.706 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   10: base_cgroup: /
lxc-start ovpn1 20200705171158.706 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/net_prio
lxc-start ovpn1 20200705171158.707 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.707 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: net_prio
lxc-start ovpn1 20200705171158.707 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   11: base_cgroup: /
lxc-start ovpn1 20200705171158.707 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/pids
lxc-start ovpn1 20200705171158.708 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.708 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: pids
lxc-start ovpn1 20200705171158.708 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:925 -   12: base_cgroup: /
lxc-start ovpn1 20200705171158.708 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:926 -       mountpoint:  /sys/fs/cgroup/systemd
lxc-start ovpn1 20200705171158.708 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:927 -       controllers:
lxc-start ovpn1 20200705171158.708 TRACE    cgfsng - cgroups/cgfsng.c:lxc_cgfsng_print_hierarchies:929 -       0: name=systemd
lxc-start ovpn1 20200705171158.709 TRACE    cgroup - cgroups/cgroup.c:cgroup_init:40 - Initialized cgroup driver cgfsng
lxc-start ovpn1 20200705171158.709 TRACE    cgroup - cgroups/cgroup.c:cgroup_init:45 - Running with hybrid cgroup layout
lxc-start ovpn1 20200705171158.709 TRACE    start - start.c:lxc_init:836 - Initialized cgroup driver
lxc-start ovpn1 20200705171158.711 TRACE    seccomp - seccomp.c:get_new_ctx:469 - Added arch 2 to main seccomp context
lxc-start ovpn1 20200705171158.711 TRACE    seccomp - seccomp.c:get_new_ctx:477 - Removed native arch from main seccomp context
lxc-start ovpn1 20200705171158.711 TRACE    seccomp - seccomp.c:get_new_ctx:469 - Added arch 3 to main seccomp context
lxc-start ovpn1 20200705171158.712 TRACE    seccomp - seccomp.c:get_new_ctx:477 - Removed native arch from main seccomp context
lxc-start ovpn1 20200705171158.712 TRACE    seccomp - seccomp.c:get_new_ctx:482 - Arch 4 already present in main seccomp context
lxc-start ovpn1 20200705171158.712 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start ovpn1 20200705171158.712 INFO     seccomp - seccomp.c:do_resolve_add_rule:516 - Set seccomp rule to reject force umounts
lxc-start ovpn1 20200705171158.713 INFO     seccomp - seccomp.c:parse_config_v2:965 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start ovpn1 20200705171158.713 INFO     seccomp - seccomp.c:do_resolve_add_rule:516 - Set seccomp rule to reject force umounts
lxc-start ovpn1 20200705171158.713 INFO     seccomp - seccomp.c:parse_config_v2:974 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start ovpn1 20200705171158.713 INFO     seccomp - seccomp.c:do_resolve_add_rule:516 - Set seccomp rule to reject force umounts
lxc-start ovpn1 20200705171158.713 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start ovpn1 20200705171158.714 INFO     seccomp - seccomp.c:do_resolve_add_rule:516 - Set seccomp rule to reject force umounts
lxc-start ovpn1 20200705171158.714 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start ovpn1 20200705171158.714 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "[all]"
lxc-start ovpn1 20200705171158.714 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "kexec_load errno 1"
lxc-start ovpn1 20200705171158.715 INFO     seccomp - seccomp.c:parse_config_v2:965 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start ovpn1 20200705171158.715 INFO     seccomp - seccomp.c:parse_config_v2:974 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start ovpn1 20200705171158.715 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start ovpn1 20200705171158.716 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start ovpn1 20200705171158.716 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "open_by_handle_at errno 1"
lxc-start ovpn1 20200705171158.716 INFO     seccomp - seccomp.c:parse_config_v2:965 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start ovpn1 20200705171158.717 INFO     seccomp - seccomp.c:parse_config_v2:974 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start ovpn1 20200705171158.717 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start ovpn1 20200705171158.718 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start ovpn1 20200705171158.718 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "init_module errno 1"
lxc-start ovpn1 20200705171158.718 INFO     seccomp - seccomp.c:parse_config_v2:965 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start ovpn1 20200705171158.718 INFO     seccomp - seccomp.c:parse_config_v2:974 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start ovpn1 20200705171158.718 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start ovpn1 20200705171158.719 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start ovpn1 20200705171158.719 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "finit_module errno 1"
lxc-start ovpn1 20200705171158.719 INFO     seccomp - seccomp.c:parse_config_v2:965 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start ovpn1 20200705171158.719 INFO     seccomp - seccomp.c:parse_config_v2:974 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start ovpn1 20200705171158.720 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start ovpn1 20200705171158.720 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start ovpn1 20200705171158.720 INFO     seccomp - seccomp.c:parse_config_v2:770 - Processing "delete_module errno 1"
lxc-start ovpn1 20200705171158.720 INFO     seccomp - seccomp.c:parse_config_v2:965 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start ovpn1 20200705171158.721 INFO     seccomp - seccomp.c:parse_config_v2:974 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start ovpn1 20200705171158.721 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start ovpn1 20200705171158.721 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start ovpn1 20200705171158.722 INFO     seccomp - seccomp.c:parse_config_v2:1000 - Merging compat seccomp contexts into main context
lxc-start ovpn1 20200705171158.722 TRACE    seccomp - seccomp.c:parse_config_v2:1010 - Merged first compat seccomp context into main context
lxc-start ovpn1 20200705171158.722 TRACE    seccomp - seccomp.c:parse_config_v2:1026 - Merged second compat seccomp context into main context
lxc-start ovpn1 20200705171158.722 TRACE    start - start.c:lxc_init:841 - Read seccomp policy
lxc-start ovpn1 20200705171158.723 TRACE    start - start.c:lxc_init:848 - Initialized LSM
lxc-start ovpn1 20200705171158.723 INFO     start - start.c:lxc_init:850 - Container "ovpn1" is initialized
lxc-start ovpn1 20200705171158.725 WARN     cgfsng - cgroups/cgfsng.c:cgroup_tree_create:1157 - File exists - The /sys/fs/cgroup/cpuset//lxc.monitor.ovpn1 cgroup already existed
lxc-start ovpn1 20200705171158.725 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1264 - Failed to create cgroup "(null)"
lxc-start ovpn1 20200705171158.728 WARN     cgfsng - cgroups/cgfsng.c:cgroup_tree_create:1157 - File exists - The /sys/fs/cgroup/cpuset//lxc.monitor.ovpn1-1 cgroup already existed
lxc-start ovpn1 20200705171158.728 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1264 - Failed to create cgroup "(null)"
lxc-start ovpn1 20200705171158.730 WARN     cgfsng - cgroups/cgfsng.c:cgroup_tree_create:1157 - File exists - The /sys/fs/cgroup/cpuset//lxc.monitor.ovpn1-2 cgroup already existed
lxc-start ovpn1 20200705171158.730 ERROR    cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1264 - Failed to create cgroup "(null)"
lxc-start ovpn1 20200705171158.735 TRACE    cgfsng - cgroups/cgfsng.c:cg_legacy_filter_and_set_cpus:448 - Copied cpu settings of parent cgroup
lxc-start ovpn1 20200705171158.736 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1143 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.monitor.ovpn1-3"
lxc-start ovpn1 20200705171158.745 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_monitor_create:1277 - The monitor process uses "lxc.monitor.ovpn1-3" as cgroup
lxc-start ovpn1 20200705171158.753 DEBUG    storage - storage/storage.c:get_storage_by_name:211 - Detected rootfs type "dir"
lxc-start ovpn1 20200705171158.758 TRACE    cgfsng - cgroups/cgfsng.c:cg_legacy_filter_and_set_cpus:448 - Copied cpu settings of parent cgroup
lxc-start ovpn1 20200705171158.759 ERROR    cgfsng - cgroups/cgfsng.c:mkdir_eexist_on_last:1143 - File exists - Failed to create directory "/sys/fs/cgroup/cpuset//lxc.payload.ovpn1"
lxc-start ovpn1 20200705171158.767 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_payload_create:1356 - The container process uses "lxc.payload.ovpn1" as cgroup
lxc-start ovpn1 20200705171158.771 TRACE    start - start.c:lxc_spawn:1648 - Cloned child process 14668
lxc-start ovpn1 20200705171158.771 ERROR    utils - utils.c:lxc_can_use_pidfd:1834 - Kernel does not support pidfds
lxc-start ovpn1 20200705171158.772 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWUSER
lxc-start ovpn1 20200705171158.772 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWNS
lxc-start ovpn1 20200705171158.772 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWPID
lxc-start ovpn1 20200705171158.772 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWUTS
lxc-start ovpn1 20200705171158.773 INFO     start - start.c:lxc_spawn:1664 - Cloned CLONE_NEWIPC
lxc-start ovpn1 20200705171158.773 DEBUG    start - start.c:lxc_try_preserve_namespaces:165 - Preserved user namespace via fd 29
lxc-start ovpn1 20200705171158.774 DEBUG    start - start.c:lxc_try_preserve_namespaces:165 - Preserved mnt namespace via fd 30
lxc-start ovpn1 20200705171158.774 DEBUG    start - start.c:lxc_try_preserve_namespaces:165 - Preserved pid namespace via fd 31
lxc-start ovpn1 20200705171158.775 DEBUG    start - start.c:lxc_try_preserve_namespaces:165 - Preserved uts namespace via fd 32
lxc-start ovpn1 20200705171158.775 DEBUG    start - start.c:lxc_try_preserve_namespaces:165 - Preserved ipc namespace via fd 33
lxc-start ovpn1 20200705171158.779 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2642 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start ovpn1 20200705171158.779 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2642 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start ovpn1 20200705171158.780 DEBUG    conf - conf.c:lxc_map_ids:2710 - Functional newuidmap and newgidmap binary found
lxc-start ovpn1 20200705171158.797 TRACE    conf - conf.c:lxc_map_ids:2780 - newuidmap wrote mapping "newuidmap 14668 0 100000 65536"
lxc-start ovpn1 20200705171158.811 TRACE    conf - conf.c:lxc_map_ids:2780 - newgidmap wrote mapping "newgidmap 14668 0 100000 65536"
lxc-start ovpn1 20200705171158.821 INFO     start - start.c:do_start:1098 - Unshared CLONE_NEWNET
lxc-start ovpn1 20200705171158.822 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2739 - Limits for the legacy cgroup hierarchies have been setup
lxc-start ovpn1 20200705171158.827 TRACE    conf - conf.c:get_minimal_idmap:4015 - Allocated minimal idmapping for ns uid 0 and ns gid 0
lxc-start ovpn1 20200705171158.829 TRACE    conf - conf.c:userns_exec_1:4080 - Establishing uid mapping for "14673" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start ovpn1 20200705171158.830 TRACE    conf - conf.c:userns_exec_1:4080 - Establishing uid mapping for "14673" in new user namespace: nsuid 0 - hostid 100000 - range 65536
lxc-start ovpn1 20200705171158.830 TRACE    conf - conf.c:userns_exec_1:4080 - Establishing gid mapping for "14673" in new user namespace: nsuid 65536 - hostid 0 - range 1
lxc-start ovpn1 20200705171158.830 TRACE    conf - conf.c:userns_exec_1:4080 - Establishing gid mapping for "14673" in new user namespace: nsuid 0 - hostid 100000 - range 65536
lxc-start ovpn1 20200705171158.831 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2642 - The binary "/usr/bin/newuidmap" does have the setuid bit set
lxc-start ovpn1 20200705171158.832 DEBUG    conf - conf.c:idmaptool_on_path_and_privileged:2642 - The binary "/usr/bin/newgidmap" does have the setuid bit set
lxc-start ovpn1 20200705171158.832 DEBUG    conf - conf.c:lxc_map_ids:2710 - Functional newuidmap and newgidmap binary found
lxc-start ovpn1 20200705171158.847 TRACE    conf - conf.c:lxc_map_ids:2780 - newuidmap wrote mapping "newuidmap 14673 65536 0 1 0 100000 65536"
lxc-start ovpn1 20200705171158.860 TRACE    conf - conf.c:lxc_map_ids:2780 - newgidmap wrote mapping "newgidmap 14673 65536 0 1 0 100000 65536"
lxc-start ovpn1 20200705171158.861 TRACE    conf - conf.c:run_userns_fn:3857 - Calling function "chown_cgroup_wrapper"
lxc-start ovpn1 20200705171158.861 NOTICE   utils - utils.c:lxc_setgroups:1366 - Dropped additional groups
lxc-start ovpn1 20200705171158.864 WARN     cgfsng - cgroups/cgfsng.c:fchowmodat:1452 - No such file or directory - Failed to fchownat(17, memory.oom.group, 65536, 0, AT_EMPTY_PATH | AT_SYMLINK_NOFOLLOW )
lxc-start ovpn1 20200705171158.869 DEBUG    start - start.c:lxc_spawn:1737 - Preserved net namespace via fd 7
lxc-start ovpn1 20200705171158.870 TRACE    start - start.c:lxc_spawn:1744 - Allocated new network namespace id
lxc-start ovpn1 20200705171158.878 INFO     network - network.c:instantiate_veth:290 - Retrieved mtu 1500 from lxcbr0
lxc-start ovpn1 20200705171158.918 INFO     network - network.c:instantiate_veth:334 - Attached "vethdvaxqJ" to bridge "lxcbr0"
lxc-start ovpn1 20200705171158.948 DEBUG    network - network.c:instantiate_veth:450 - Instantiated veth tunnel "vethdvaxqJ <--> vethsBXWUp"
lxc-start ovpn1 20200705171158.955 INFO     network - network.c:instantiate_veth:290 - Retrieved mtu 1500 from trbr0
lxc-start ovpn1 20200705171158.991 INFO     network - network.c:instantiate_veth:334 - Attached "veth0VApuF" to bridge "trbr0"
lxc-start ovpn1 20200705171158.102 DEBUG    network - network.c:instantiate_veth:450 - Instantiated veth tunnel "veth0VApuF <--> vethLV1qZ5"
lxc-start ovpn1 20200705171158.102 TRACE    network - network.c:lxc_network_send_to_child:3586 - Sent network device name "vethsBXWUp" to child
lxc-start ovpn1 20200705171158.102 TRACE    network - network.c:lxc_network_send_to_child:3586 - Sent network device name "vethLV1qZ5" to child
lxc-start ovpn1 20200705171158.102 TRACE    network - network.c:lxc_network_recv_from_parent:3613 - Received network device name "vethsBXWUp" from parent
lxc-start ovpn1 20200705171158.102 TRACE    network - network.c:lxc_network_recv_from_parent:3613 - Received network device name "vethLV1qZ5" from parent
lxc-start ovpn1 20200705171158.102 NOTICE   utils - utils.c:lxc_setgroups:1366 - Dropped additional groups
lxc-start ovpn1 20200705171158.102 NOTICE   utils - utils.c:lxc_switch_uid_gid:1344 - Switched to gid 0
lxc-start ovpn1 20200705171158.102 NOTICE   utils - utils.c:lxc_switch_uid_gid:1353 - Switched to uid 0
lxc-start ovpn1 20200705171158.102 INFO     start - start.c:do_start:1211 - Unshared CLONE_NEWCGROUP
lxc-start ovpn1 20200705171158.102 TRACE    conf - conf.c:remount_all_slave:3094 - Remounted all mount table entries as MS_SLAVE
lxc-start ovpn1 20200705171158.102 DEBUG    storage - storage/storage.c:get_storage_by_name:211 - Detected rootfs type "dir"
lxc-start ovpn1 20200705171158.102 TRACE    dir - storage/dir.c:dir_mount:165 - Mounted "/var/lib/lxc/ovpn1/rootfs" on "/usr/lib/lxc/rootfs" with options "(null)", mount flags "0", and propagation flags "0"
lxc-start ovpn1 20200705171158.103 DEBUG    conf - conf.c:lxc_mount_rootfs:1258 - Mounted rootfs "/var/lib/lxc/ovpn1/rootfs" onto "/usr/lib/lxc/rootfs" with options "(null)"
lxc-start ovpn1 20200705171158.103 INFO     conf - conf.c:setup_utsname:751 - Set hostname to "ovpn1"
lxc-start ovpn1 20200705171158.103 TRACE    network - network.c:instantiate_ns_veth:891 - Renamed network device from "vethsBXWUp" to "eth%d"
lxc-start ovpn1 20200705171158.104 DEBUG    network - network.c:setup_hw_addr:3388 - Mac address "00:16:3e:aa:bb:cc" on "eth0" has been setup
lxc-start ovpn1 20200705171158.106 DEBUG    network - network.c:lxc_network_setup_in_child_namespaces_common:3538 - Network device "eth0" has been setup
lxc-start ovpn1 20200705171158.107 TRACE    network - network.c:instantiate_ns_veth:891 - Renamed network device from "vethLV1qZ5" to "eth%d"
lxc-start ovpn1 20200705171158.107 DEBUG    network - network.c:setup_hw_addr:3388 - Mac address "00:16:3e:ff:ee:dd" on "eth1" has been setup
lxc-start ovpn1 20200705171158.111 DEBUG    network - network.c:lxc_network_setup_in_child_namespaces_common:3538 - Network device "eth1" has been setup
lxc-start ovpn1 20200705171158.111 INFO     network - network.c:lxc_setup_network_in_child_namespaces:3560 - Network has been setup
lxc-start ovpn1 20200705171158.111 TRACE    network - network.c:lxc_network_send_name_and_ifindex_to_parent:3646 - Sent network device names and ifindices to parent
lxc-start ovpn1 20200705171158.111 INFO     conf - conf.c:mount_autodev:1059 - Preparing "/dev"
lxc-start ovpn1 20200705171158.111 DEBUG    conf - conf.c:mount_autodev:1065 - Using mount options: size=500000,mode=755
lxc-start ovpn1 20200705171158.111 TRACE    conf - conf.c:mount_autodev:1085 - Mounted tmpfs on "/usr/lib/lxc/rootfs/dev"
lxc-start ovpn1 20200705171158.111 INFO     conf - conf.c:mount_autodev:1108 - Prepared "/dev"
lxc-start ovpn1 20200705171158.112 INFO     conf - conf.c:mount_entry:1851 - No such file or directory - Failed to mount "/sys/fs/fuse/connections" on "/usr/lib/lxc/rootfs/sys/fs/fuse/connections" (optional)
lxc-start ovpn1 20200705171158.112 DEBUG    conf - conf.c:mount_entry:1923 - Mounted "proc" on "/usr/lib/lxc/rootfs/dev/.lxc/proc" with filesystem type "proc"
lxc-start ovpn1 20200705171158.112 DEBUG    conf - conf.c:mount_entry:1923 - Mounted "sys" on "/usr/lib/lxc/rootfs/dev/.lxc/sys" with filesystem type "sysfs"
lxc-start ovpn1 20200705171158.112 INFO     conf - conf.c:lxc_fill_autodev:1152 - Populating "/dev"
lxc-start ovpn1 20200705171158.112 DEBUG    conf - conf.c:lxc_fill_autodev:1218 - Bind mounted host device node "/dev/full" onto "/usr/lib/lxc/rootfs/dev/full"
lxc-start ovpn1 20200705171158.112 DEBUG    conf - conf.c:lxc_fill_autodev:1218 - Bind mounted host device node "/dev/null" onto "/usr/lib/lxc/rootfs/dev/null"
lxc-start ovpn1 20200705171158.112 DEBUG    conf - conf.c:lxc_fill_autodev:1218 - Bind mounted host device node "/dev/random" onto "/usr/lib/lxc/rootfs/dev/random"
lxc-start ovpn1 20200705171158.112 DEBUG    conf - conf.c:lxc_fill_autodev:1218 - Bind mounted host device node "/dev/tty" onto "/usr/lib/lxc/rootfs/dev/tty"
lxc-start ovpn1 20200705171158.113 DEBUG    conf - conf.c:lxc_fill_autodev:1218 - Bind mounted host device node "/dev/urandom" onto "/usr/lib/lxc/rootfs/dev/urandom"
lxc-start ovpn1 20200705171158.113 DEBUG    conf - conf.c:lxc_fill_autodev:1218 - Bind mounted host device node "/dev/zero" onto "/usr/lib/lxc/rootfs/dev/zero"
lxc-start ovpn1 20200705171158.113 INFO     conf - conf.c:lxc_fill_autodev:1222 - Populated "/dev"
lxc-start ovpn1 20200705171158.113 DEBUG    conf - conf.c:lxc_setup_dev_console:1618 - Mounted pts device "/dev/pts/1" onto "/usr/lib/lxc/rootfs/dev/console"
lxc-start ovpn1 20200705171158.113 INFO     utils - utils.c:lxc_mount_proc_if_needed:1200 - I am 1, /proc/self points to "1"
lxc-start ovpn1 20200705171158.113 TRACE    conf - conf.c:lxc_pivot_root:1427 - pivot_root("/usr/lib/lxc/rootfs") successful
lxc-start ovpn1 20200705171158.114 DEBUG    conf - conf.c:lxc_setup_devpts:1521 - Mount new devpts instance with options "gid=5,newinstance,ptmxmode=0666,mode=0620,max=1024"
lxc-start ovpn1 20200705171158.114 DEBUG    conf - conf.c:lxc_setup_devpts:1536 - Created dummy "/dev/ptmx" file as bind mount target
lxc-start ovpn1 20200705171158.114 DEBUG    conf - conf.c:lxc_setup_devpts:1541 - Bind mounted "/dev/pts/ptmx" to "/dev/ptmx"
lxc-start ovpn1 20200705171158.114 DEBUG    conf - conf.c:lxc_allocate_ttys:938 - Created tty "/dev/pts/0" with master fd 29 and slave fd 30
lxc-start ovpn1 20200705171158.114 DEBUG    conf - conf.c:lxc_allocate_ttys:938 - Created tty "/dev/pts/1" with master fd 31 and slave fd 32
lxc-start ovpn1 20200705171158.114 DEBUG    conf - conf.c:lxc_allocate_ttys:938 - Created tty "/dev/pts/2" with master fd 33 and slave fd 34
lxc-start ovpn1 20200705171158.114 DEBUG    conf - conf.c:lxc_allocate_ttys:938 - Created tty "/dev/pts/3" with master fd 35 and slave fd 36
lxc-start ovpn1 20200705171158.114 INFO     conf - conf.c:lxc_allocate_ttys:955 - Finished creating 4 tty devices
lxc-start ovpn1 20200705171158.114 TRACE    conf - conf.c:lxc_send_ttys_to_parent:996 - Sent tty "/dev/pts/0" with master fd 29 and slave fd 30 to parent
lxc-start ovpn1 20200705171158.114 TRACE    conf - conf.c:lxc_send_ttys_to_parent:996 - Sent tty "/dev/pts/1" with master fd 31 and slave fd 32 to parent
lxc-start ovpn1 20200705171158.115 TRACE    conf - conf.c:lxc_send_ttys_to_parent:996 - Sent tty "/dev/pts/2" with master fd 33 and slave fd 34 to parent
lxc-start ovpn1 20200705171158.115 TRACE    conf - conf.c:lxc_send_ttys_to_parent:996 - Sent tty "/dev/pts/3" with master fd 35 and slave fd 36 to parent
lxc-start ovpn1 20200705171158.115 TRACE    conf - conf.c:lxc_send_ttys_to_parent:1003 - Sent 4 ttys to parent
lxc-start ovpn1 20200705171158.115 DEBUG    conf - conf.c:lxc_setup_ttys:893 - Bind mounted "/dev/pts/0" onto "/dev/tty1"
lxc-start ovpn1 20200705171158.115 DEBUG    conf - conf.c:lxc_setup_ttys:893 - Bind mounted "/dev/pts/1" onto "/dev/tty2"
lxc-start ovpn1 20200705171158.115 DEBUG    conf - conf.c:lxc_setup_ttys:893 - Bind mounted "/dev/pts/2" onto "/dev/tty3"
lxc-start ovpn1 20200705171158.115 DEBUG    conf - conf.c:lxc_setup_ttys:893 - Bind mounted "/dev/pts/3" onto "/dev/tty4"
lxc-start ovpn1 20200705171158.115 INFO     conf - conf.c:lxc_setup_ttys:900 - Finished setting up 4 /dev/tty<N> device(s)
lxc-start ovpn1 20200705171158.115 INFO     conf - conf.c:setup_personality:1572 - Set personality to "0x0"
lxc-start ovpn1 20200705171158.115 DEBUG    conf - conf.c:setup_caps:2338 - Capabilities have been setup
lxc-start ovpn1 20200705171158.115 NOTICE   conf - conf.c:lxc_setup:3433 - The container "ovpn1" is set up
#
# pseudo filter code start
#
# filter for arch x86_64 (3221225534)
if ($arch == 3221225534)
  # filter for syscall "finit_module" (313) [priority: 65535]
  if ($syscall == 313)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (304) [priority: 65535]
  if ($syscall == 304)
    action ERRNO(1);
  # filter for syscall "kexec_load" (246) [priority: 65535]
  if ($syscall == 246)
    action ERRNO(1);
  # filter for syscall "delete_module" (176) [priority: 65535]
  if ($syscall == 176)
    action ERRNO(1);
  # filter for syscall "init_module" (175) [priority: 65535]
  if ($syscall == 175)
    action ERRNO(1);
  # filter for syscall "umount2" (166) [priority: 65533]
  if ($syscall == 166)
    if ($a1.hi32 & 0x00000000 == 0)
      if ($a1.lo32 & 0x00000001 == 1)
        action ERRNO(13);
  # default action
  action ALLOW;
# filter for arch x86 (1073741827)
if ($arch == 1073741827)
  # filter for syscall "finit_module" (350) [priority: 65535]
  if ($syscall == 350)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (342) [priority: 65535]
  if ($syscall == 342)
    action ERRNO(1);
  # filter for syscall "kexec_load" (283) [priority: 65535]
  if ($syscall == 283)
    action ERRNO(1);
  # filter for syscall "delete_module" (129) [priority: 65535]
  if ($syscall == 129)
    action ERRNO(1);
  # filter for syscall "init_module" (128) [priority: 65535]
  if ($syscall == 128)
    action ERRNO(1);
  # filter for syscall "umount2" (52) [priority: 65534]
  if ($syscall == 52)
    if ($a1 & 0x00000001 == 1)
      action ERRNO(13);
  # default action
  action ALLOW;
# filter for arch x32 (3221225534)
if ($arch == 3221225534)
  # filter for syscall "kexec_load" (1073742352) [priority: 65535]
  if ($syscall == 1073742352)
    action ERRNO(1);
  # filter for syscall "finit_module" (1073742137) [priority: 65535]
  if ($syscall == 1073742137)
    action ERRNO(1);
  # filter for syscall "open_by_handle_at" (1073742128) [priority: 65535]
  if ($syscall == 1073742128)
    action ERRNO(1);
  # filter for syscall "delete_module" (1073742000) [priority: 65535]
  if ($syscall == 1073742000)
    action ERRNO(1);
  # filter for syscall "init_module" (1073741999) [priority: 65535]
  if ($syscall == 1073741999)
    action ERRNO(1);
  # filter for syscall "umount2" (1073741990) [priority: 65534]
  if ($syscall == 1073741990)
    if ($a1 & 0x00000001 == 1)
      action ERRNO(13);
  # default action
  action ALLOW;
# invalid architecture action
action KILL;
#
# pseudo filter code end
#
lxc-start ovpn1 20200705171158.115 DEBUG    cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2734 - Set controller "devices.allow" set to "c 10:200 rwm"
lxc-start ovpn1 20200705171158.115 INFO     cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits_legacy:2739 - Limits for the legacy cgroup hierarchies have been setup
lxc-start ovpn1 20200705171158.115 TRACE    start - start.c:lxc_spawn:1790 - Set up legacy device cgroup controller limits
lxc-start ovpn1 20200705171158.116 TRACE    start - start.c:lxc_spawn:1796 - Set up cgroup2 device controller limits
lxc-start ovpn1 20200705171158.116 DEBUG    start - start.c:lxc_spawn:1808 - Preserved cgroup namespace via fd 11
lxc-start ovpn1 20200705171158.116 TRACE    start - start.c:lxc_spawn:1813 - Finished setting up cgroups
lxc-start ovpn1 20200705171158.116 NOTICE   start - start.c:start:2041 - Exec'ing "/sbin/init"
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:254 - index: 0
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:255 - ifindex: 2
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:259 - type: veth
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:266 - veth1 : vethdvaxqJ
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:270 - host side ifindex for veth device: 17
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:319 - flags: up
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:323 - link: lxcbr0
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:327 - l2proxy: false
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:330 - name: eth0
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:333 - hwaddr: 00:16:3e:aa:bb:cc
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:344 - ipv4 gateway auto: false
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:347 - ipv4 gateway dev: false
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:363 - ipv6 gateway auto: false
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:366 - ipv6 gateway dev: false
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:254 - index: 1
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:255 - ifindex: 3
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:259 - type: veth
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:266 - veth1 : veth0VApuF
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:270 - host side ifindex for veth device: 18
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:319 - flags: up
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:323 - link: trbr0
lxc-start ovpn1 20200705171158.116 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:327 - l2proxy: false
lxc-start ovpn1 20200705171158.117 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:330 - name: eth1
lxc-start ovpn1 20200705171158.117 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:333 - hwaddr: 00:16:3e:ff:ee:dd
lxc-start ovpn1 20200705171158.117 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:344 - ipv4 gateway auto: false
lxc-start ovpn1 20200705171158.117 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:347 - ipv4 gateway dev: false
lxc-start ovpn1 20200705171158.117 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:363 - ipv6 gateway auto: false
lxc-start ovpn1 20200705171158.117 TRACE    confile_utils - confile_utils.c:lxc_log_configured_netdevs:366 - ipv6 gateway dev: false
lxc-start ovpn1 20200705171158.117 TRACE    start - start.c:lxc_recv_ttys_from_child:1447 - Received pty with master fd 16 and slave fd 18 from child
lxc-start ovpn1 20200705171158.117 TRACE    start - start.c:lxc_recv_ttys_from_child:1447 - Received pty with master fd 19 and slave fd 20 from child
lxc-start ovpn1 20200705171158.117 TRACE    start - start.c:lxc_recv_ttys_from_child:1447 - Received pty with master fd 21 and slave fd 22 from child
lxc-start ovpn1 20200705171158.117 TRACE    start - start.c:lxc_recv_ttys_from_child:1447 - Received pty with master fd 23 and slave fd 24 from child
lxc-start ovpn1 20200705171158.117 TRACE    start - start.c:lxc_recv_ttys_from_child:1453 - Received 4 ttys from child
lxc-start ovpn1 20200705171158.117 NOTICE   start - start.c:post_start:2052 - Started "/sbin/init" with pid "14668"
lxc-start ovpn1 20200705171158.117 TRACE    lxccontainer - lxccontainer.c:wait_on_daemonized_start:856 - Container is in "RUNNING" state
lxc-start ovpn1 20200705171158.118 TRACE    start - start.c:lxc_serve_state_socket_pair:491 - Sent container state "RUNNING" to 5
lxc-start ovpn1 20200705171158.118 TRACE    start - start.c:lxc_serve_state_clients:427 - Set container state to RUNNING
lxc-start ovpn1 20200705171158.118 TRACE    start - start.c:lxc_serve_state_clients:430 - No state clients registered
lxc-start ovpn1 20200705171158.118 TRACE    start - start.c:lxc_poll:581 - Mainloop is ready
lxc-start ovpn1 20200705171158.118 NOTICE   start - start.c:signal_handler:393 - Received 17 from pid 14669 instead of container init 14668
lxc-start ovpn1 20200705171235.337 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.337 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_init_pid"
lxc-start ovpn1 20200705171235.337 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.338 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_init_pid"
lxc-start ovpn1 20200705171235.338 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.338 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_config_item"
lxc-start ovpn1 20200705171235.338 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.338 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_config_item"
lxc-start ovpn1 20200705171235.338 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.339 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_config_item"
lxc-start ovpn1 20200705171235.339 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.339 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_clone_flags"
lxc-start ovpn1 20200705171235.339 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.339 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup2_fd"
lxc-start ovpn1 20200705171235.340 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.340 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.341 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.341 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup2_fd"
lxc-start ovpn1 20200705171235.341 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.341 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.344 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.344 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.345 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.345 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.345 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.345 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.345 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.345 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.345 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.345 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.345 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.346 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.346 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.346 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.346 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.346 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.346 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.346 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.346 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.347 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"
lxc-start ovpn1 20200705171235.347 TRACE    commands - commands.c:lxc_cmd_accept:1555 - Accepted new client as fd 13 on command server fd 6
lxc-start ovpn1 20200705171235.347 TRACE    commands - commands.c:lxc_cmd_fd_cleanup:1467 - Closing client fd 13 for command "get_cgroup"

I’m afraid interpreting the trace file is getting beyond my capabilities!

stgraber · July 5, 2020, 6:03pm

Did you try with just /dev/net as create=dir?

@brauner something odd going on there

tetech · July 5, 2020, 11:30pm

Yes, I tried these lines in the config, one at a time and both together.

lxc.mount.entry = /dev/net dev/net none bind,create=dir
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

I also tried making a new device on the host (i.e. mknod /dev/net/tun1 c 10 200) and using that (i.e. replacing tun with tun1 everywhere.

I also tried using different “guest” OS templates. Same result always.

tetech · October 12, 2020, 1:11pm

I stopped trying to get this working for a while, but came back to it. I managed to get it working by adding 0 0 to the end, i.e. what works for me is

lxc.cgroup.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0

Maybe that helps someone else.

euro-space.net · March 2, 2022, 9:13am

These are steps how to enable TUN/TAP on Proxmox LXC containers:

Make sure your container is PRIVILEGED, if not, then make a backup of the container, then restore it and check “Privileged Container”.
Shutdown container and edit its configuration file located under /etc/pve/lxc/CTID.conf (CTID is the ID of your container)
Add following lines at the end of file:

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c “modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun”

Save configuration file and start the container.
Make sure TUN is enabled by running following command:

cat /dev/net/tun

This should output the following:

cat: /dev/net/tun: File descriptor in bad state

Now you can run VPN.

joost00719 · October 5, 2022, 8:11pm

Thanks, this helped a lot!

bartclone · July 11, 2023, 1:11am

IMHO, LXC-container does not have to run privileged.

(AFAICT, in unprivilieged mode, LXC uses the PVE host’s kernel / tun. So, there is no need to modprobe for tun.ko in the LX container itself.)

With these addition to the .conf file, it works fine on unprivileged LXC.

**Debian Bullseye or Ubuntu: **

lxc.cgroup.devices.allow: c 10:200 rwm
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir

Note: here both cgroup-variants are included for compatibility (https://medium.com/nttlabs/cgroup-v2-596d035be4d7)

Ward_Mundy · September 23, 2023, 4:22pm

Here’s what worked for me to enable OpenVPN on an LXC container…

You first must enable tun for Linux Containers. On your LXC host machine, create a new
00-openvpn.conf file in /usr/share/lxc/config/common.conf.d :

lxc.cgroup.devices.allow = c 10:200 rwm
lxc.mount.entry = /dev/net dev/net none bind,create=dir 0 0
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file

Next, create an OpenVPN client config file for each Linux Container on your OpenVPN server. Now start up the Linux Container, switch to the root user, and copy the new config file (.ovpn) into some folder and start up OpenVPN: openvpn --config somefile.ovpn --daemon