Systemd permission problems in lxd container

(János Gerzson) #1


I am sorry if this is an old story and a lot of discussion went on these forums on this topic, I haven't find any ...

The story:
I installed an openvpn server in an ubuntu based lxd container (privileged) in an ubuntu host, as I did it before few times with success. This time I encountered permission troubles with systemd. If I start openvpn server by hand as root using the same command what's in the systemd unit file, everything is going well, but when I want to start it by systemd it can't access file var/log/openvpn/openvpn-status.log and can't stat tun device.

I don't know systemd so deep and I can't imagine what can be the problem as it runs by default as root.
I suppose its related to lxd somehow but I can't see what's under the hood.
I would appreciate any suggestion.

(Stéphane Graber) #2

Yeah, I did hit that problem in the past, looks like the fix I have here is:


As a systemd unit override which you can set with systemctl edit openvpn

(János Gerzson) #3

Thank you for the quick response!

I tried to set this variable to 10 already, but now I tried to set it via systemctl edit to 'infinity' and the problem is the same.
Here is the journalctl output:
Dec 15 10:15:17 vpn systemd[1]: Couldn't stat device /dev/net/tun0
Dec 15 10:15:17 vpn systemd[1]: Starting OpenVPN connection to server...
-- Subject: Unit openvpn@server.service has begun start-up
-- Defined-By: systemd
-- Support:
-- Unit openvpn@server.service has begun starting up.
Dec 15 10:15:17 vpn systemd[1]: Failed to reset devices.list on /system.slice/openvpn.service: Operation not permitted
Dec 15 10:15:17 vpn ovpn-server[931]: Warning: Error redirecting stdout/stderr to --log file: /var/log/openvpn/openvpn.log: Permission denied (errno=13)
Dec 15 10:15:17 vpn ovpn-server[931]: Options error: --status fails with '/var/log/openvpn/openvpn-status.log': Permission denied
Dec 15 10:15:17 vpn ovpn-server[931]: Options error: Please correct these errors.
Dec 15 10:15:17 vpn ovpn-server[931]: Use --help for more information.
Dec 15 10:15:17 vpn systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 15 10:15:17 vpn systemd[1]: Failed to start OpenVPN connection to server.

... and here is the unit file openvpn@.service:
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/
ExecReload=/bin/kill -HUP $MAINPID
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun0 rw

(János Gerzson) #4

I am sorry, I made a mistake!!!!
I forgot to give the override the [Service] header. I corrected and it works!
It can create the tun device (although it still can't write log files in /var/log/openvpn but it's not necessary).

Many thanks!!! And congratulation for all this lxc stuff, it's so smart and simple, I love it!

(Tserversbfs) #5

I had to use:

systemctl edit openvpn@
Note: the @ had to be added


gave me:

[/etc/systemd/system/openvpn@.service.d/override.conf:2] Failed to parse resource value, ignoring: infinity