Systemd permission problems in lxd container


(János Gerzson) #1

Hello,

I am sorry if this is an old story and a lot of discussion went on these forums on this topic, I haven't find any ...

The story:
I installed an openvpn server in an ubuntu based lxd container (privileged) in an ubuntu host, as I did it before few times with success. This time I encountered permission troubles with systemd. If I start openvpn server by hand as root using the same command what's in the systemd unit file, everything is going well, but when I want to start it by systemd it can't access file var/log/openvpn/openvpn-status.log and can't stat tun device.

I don't know systemd so deep and I can't imagine what can be the problem as it runs by default as root.
I suppose its related to lxd somehow but I can't see what's under the hood.
I would appreciate any suggestion.


(Stéphane Graber) #2

Yeah, I did hit that problem in the past, looks like the fix I have here is:

[Service]
LimitNPROC=infinity

As a systemd unit override which you can set with systemctl edit openvpn


(János Gerzson) #3

Thank you for the quick response!

I tried to set this variable to 10 already, but now I tried to set it via systemctl edit to 'infinity' and the problem is the same.
Here is the journalctl output:
Dec 15 10:15:17 vpn systemd[1]: Couldn't stat device /dev/net/tun0
Dec 15 10:15:17 vpn systemd[1]: Starting OpenVPN connection to server...
-- Subject: Unit openvpn@server.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit openvpn@server.service has begun starting up.
Dec 15 10:15:17 vpn systemd[1]: Failed to reset devices.list on /system.slice/openvpn.service: Operation not permitted
Dec 15 10:15:17 vpn ovpn-server[931]: Warning: Error redirecting stdout/stderr to --log file: /var/log/openvpn/openvpn.log: Permission denied (errno=13)
Dec 15 10:15:17 vpn ovpn-server[931]: Options error: --status fails with '/var/log/openvpn/openvpn-status.log': Permission denied
Dec 15 10:15:17 vpn ovpn-server[931]: Options error: Please correct these errors.
Dec 15 10:15:17 vpn ovpn-server[931]: Use --help for more information.
Dec 15 10:15:17 vpn systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 15 10:15:17 vpn systemd[1]: Failed to start OpenVPN connection to server.

... and here is the unit file openvpn@.service:
[Service]
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ProtectSystem=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun0 rw


(János Gerzson) #4

I am sorry, I made a mistake!!!!
I forgot to give the override the [Service] header. I corrected and it works!
It can create the tun device (although it still can't write log files in /var/log/openvpn but it's not necessary).

Many thanks!!! And congratulation for all this lxc stuff, it's so smart and simple, I love it!


(Tserversbfs) #5

I had to use:

systemctl edit openvpn@
Note: the @ had to be added

[Service]
LimitNPROC=infinity

gave me:

[/etc/systemd/system/openvpn@.service.d/override.conf:2] Failed to parse resource value, ignoring: infinity

[Service]
LimitNPROC=1000

worked.

Thanks!