Systemd permission problems in lxd container


I am sorry if this is an old story and a lot of discussion went on these forums on this topic, I haven’t find any …

The story:
I installed an openvpn server in an ubuntu based lxd container (privileged) in an ubuntu host, as I did it before few times with success. This time I encountered permission troubles with systemd. If I start openvpn server by hand as root using the same command what’s in the systemd unit file, everything is going well, but when I want to start it by systemd it can’t access file var/log/openvpn/openvpn-status.log and can’t stat tun device.

I don’t know systemd so deep and I can’t imagine what can be the problem as it runs by default as root.
I suppose its related to lxd somehow but I can’t see what’s under the hood.
I would appreciate any suggestion.

Yeah, I did hit that problem in the past, looks like the fix I have here is:


As a systemd unit override which you can set with systemctl edit openvpn

Thank you for the quick response!

I tried to set this variable to 10 already, but now I tried to set it via systemctl edit to ‘infinity’ and the problem is the same.
Here is the journalctl output:
`Dec 15 10:15:17 vpn systemd[1]: Couldn’t stat device /dev/net/tun0
Dec 15 10:15:17 vpn systemd[1]: Starting OpenVPN connection to server…
– Subject: Unit openvpn@server.service has begun start-up
– Defined-By: systemd
– Support:

– Unit openvpn@server.service has begun starting up.
Dec 15 10:15:17 vpn systemd[1]: Failed to reset devices.list on /system.slice/openvpn.service: Operation not permitted
Dec 15 10:15:17 vpn ovpn-server[931]: Warning: Error redirecting stdout/stderr to --log file: /var/log/openvpn/openvpn.log: Permission denied (errno=13)
Dec 15 10:15:17 vpn ovpn-server[931]: Options error: --status fails with ‘/var/log/openvpn/openvpn-status.log’: Permission denied
Dec 15 10:15:17 vpn ovpn-server[931]: Options error: Please correct these errors.
Dec 15 10:15:17 vpn ovpn-server[931]: Use --help for more information.
Dec 15 10:15:17 vpn systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 15 10:15:17 vpn systemd[1]: Failed to start OpenVPN connection to server.

… and here is the unit file openvpn@.service:
[Service] PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/ PIDFile=/run/openvpn/ ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn ProtectSystem=yes CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun0 rw

I am sorry, I made a mistake!!!
I forgot to give the override the [Service] header. I corrected and it works!
It can create the tun device (although it still can’t write log files in /var/log/openvpn but it’s not necessary).

Many thanks!!! And congratulation for all this lxc stuff, it’s so smart and simple, I love it!

I had to use:

systemctl edit openvpn@
Note: the @ had to be added


gave me:

[/etc/systemd/system/openvpn@.service.d/override.conf:2] Failed to parse resource value, ignoring: infinity