Systemd permission problems in lxd container

grzs · December 14, 2017, 9:54am

Hello,

I am sorry if this is an old story and a lot of discussion went on these forums on this topic, I haven’t find any …

The story:
I installed an openvpn server in an ubuntu based lxd container (privileged) in an ubuntu host, as I did it before few times with success. This time I encountered permission troubles with systemd. If I start openvpn server by hand as root using the same command what’s in the systemd unit file, everything is going well, but when I want to start it by systemd it can’t access file var/log/openvpn/openvpn-status.log and can’t stat tun device.

I don’t know systemd so deep and I can’t imagine what can be the problem as it runs by default as root.
I suppose its related to lxd somehow but I can’t see what’s under the hood.
I would appreciate any suggestion.

stgraber · December 15, 2017, 4:47am

Yeah, I did hit that problem in the past, looks like the fix I have here is:

[Service]
LimitNPROC=infinity

As a systemd unit override which you can set with systemctl edit openvpn

grzs · December 15, 2017, 10:29am

Thank you for the quick response!

I tried to set this variable to 10 already, but now I tried to set it via `systemctl edit` to ‘infinity’ and the problem is the same.
Here is the journalctl output:
`Dec 15 10:15:17 vpn systemd[1]: Couldn’t stat device /dev/net/tun0
Dec 15 10:15:17 vpn systemd[1]: Starting OpenVPN connection to server…
– Subject: Unit openvpn@server.service has begun start-up
– Defined-By: systemd
– Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

– Unit openvpn@server.service has begun starting up.
Dec 15 10:15:17 vpn systemd[1]: Failed to reset devices.list on /system.slice/openvpn.service: Operation not permitted
Dec 15 10:15:17 vpn ovpn-server[931]: Warning: Error redirecting stdout/stderr to --log file: /var/log/openvpn/openvpn.log: Permission denied (errno=13)
Dec 15 10:15:17 vpn ovpn-server[931]: Options error: --status fails with ‘/var/log/openvpn/openvpn-status.log’: Permission denied
Dec 15 10:15:17 vpn ovpn-server[931]: Options error: Please correct these errors.
Dec 15 10:15:17 vpn ovpn-server[931]: Use --help for more information.
Dec 15 10:15:17 vpn systemd[1]: openvpn@server.service: Control process exited, code=exited status=1
Dec 15 10:15:17 vpn systemd[1]: Failed to start OpenVPN connection to server.
`

… and here is the unit file openvpn@.service:
[Service] PrivateTmp=true KillMode=mixed Type=forking ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid PIDFile=/run/openvpn/%i.pid ExecReload=/bin/kill -HUP $MAINPID WorkingDirectory=/etc/openvpn ProtectSystem=yes CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun0 rw

grzs · December 15, 2017, 10:49am

I am sorry, I made a mistake!!!
I forgot to give the override the [Service] header. I corrected and it works!
It can create the tun device (although it still can’t write log files in /var/log/openvpn but it’s not necessary).

Many thanks!!! And congratulation for all this lxc stuff, it’s so smart and simple, I love it!

tserversbfs · March 8, 2018, 11:55pm

I had to use:

systemctl edit openvpn@
Note: the @ had to be added

[Service]
LimitNPROC=infinity

gave me:

[/etc/systemd/system/openvpn@.service.d/override.conf:2] Failed to parse resource value, ignoring: infinity

[Service]
LimitNPROC=1000

worked.

Thanks!