How to run openvpn in a LXC container inside debian host?
Adding
lxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file
in the container's config file bind-mount the tun char device inside the container which solves the problem.
Related videos on Youtube
omega
Updated on September 18, 2022Comments
-
omega over 1 year
I am running debian stretch on my host and I try to configure openvpn inside an Ubuntu xenial LXC guest.
Because openvpn needs a tun device, I followed guides such as http://heider.io/blog/2013/10/26/openvpn-in-a-lxc-container/ to allow tun device creation inside the container.
Unfortunately, setting
lxc.cgroup.devices.allow = c 10:200 rwm
in the container's config file gives me this error:lxc-start ERROR lxc_cgfsng - cgroups/cgfsng.c:cgfsng_setup_limits:1949 - No such file or directory - Error setting devices.allow to c 10:200 rwm for ubuntu lxc-start ERROR lxc_start - start.c:lxc_spawn:1236 - Failed to setup the devices cgroup for container "ubuntu". lxc-start ERROR lxc_start - start.c:__lxc_start:1346 - Failed to spawn container "ubuntu".
Edit
I am trying to achieve this in an unpriviledged LXC container, here is the full configuration of this container:
# Distribution configuration lxc.include = /usr/share/lxc/config/ubuntu.common.conf lxc.include = /usr/share/lxc/config/ubuntu.userns.conf lxc.arch = x86_64 # Container specific configuration lxc.id_map = u 0 100000 65536 lxc.id_map = g 0 100000 65536 lxc.rootfs = /home/myuser/.local/share/lxc/ubuntu/rootfs lxc.rootfs.backend = dir lxc.utsname = ubuntu # Network configuration lxc.network.type = veth lxc.network.flags = up lxc.network.link = br0 lxc.network.hwaddr = 00:11:22:aa:bb:cc lxc.network.ipv4 = 192.168.1.101/24 lxc.network.ipv4.gateway = 192.168.1.1 # trying to get /dev/net/tun inside container lxc.cgroup.devices.allow = c 10:200 rwm
When I do not set the devices.allow option in order to be able to start the container, I can see processes inside the container are in the cgroup
/sys/fs/cgroup/devices/user.slice
(their PID, viewed from outside the container, are actually in thecgroup.procs
file of this subdirectory), and from here :$ cat devices.list a *:* rwm
but from inside the container
# mknod /dev/net/tun c 10 200 mknod: /dev/net/tun: Operation not permitted
-
Daniel B about 7 yearsYou’re probably missing kernel support for “devices” control groups.
-
MariusMatutiae about 7 yearsWhy exactly do you want to do this in a container? It can be done more easily by setting up a second network namespace, which is the same thing the container does, except there is none of the container overhead.
-
omega about 7 years@MariusMatutiae : It's for test purposes, I want a fully functionnal linux container without having to run a virtual machine.
-
omega about 7 years@DanielB: How could I check that ? What could I do for ?
-
Daniel B about 7 yearsSo I installed the current Debian from scratch and the option works fine. Please verify that all cgroup filesystems (cpuset, cpu/cpuacct, devices, freezer, net_cls/net_prio, blkio and perf_event) are correctly mounted at
/sys/fs/cgroup
. If not, there may be an error somewhere in your boot configuration. Are you running systemd? Is your Debian installation old and upgrated? -
omega about 7 years@DanielB: Thanks for your time, all these cgroups are correctly mounted though. This is a clean debian installation, using systemd (4.9.0-2-amd64 #1 SMP Debian 4.9.18-1 (2017-03-30) x86_64 GNU/Linux).
-
Daniel B about 7 yearsHm. Are you perhaps trying to start the container while logged in to a non-root account? When I run a container (with or without said config option), its cgroup is available at
/sys/fs/cgroup/devices/lxc/<name>
.devices.allow
is there. -
omega about 7 years@DanielB I realize I didn't mention it, but I'm running unprivileged container, thus I start the container while logged as a non-root account. I do not have a device cgroup for it, but I do get a
freezer
,memory
andsystemd
cgroup under/sys/fs/cgroup/freezer/user/ghost/0/lxc/ubuntu
,/sys/fs/cgroup/memory/user/ghost/0/lxc/ubuntu
,/sys/fs/cgroup/systemd/user.slice/user-1000.slice/session-1.scope/lxc/ubuntu
-
-
baptx over 5 yearsThanks, this worked for me but don't forget to run openvpn as root inside of the container (I forgot to use sudo and thought the problem came from somewhere else).
-
baptx almost 4 yearsNote that you have to add this in the container configuration, for example
.local/share/lxc/debian/config
(replacedebian
with your container name). I was wondering why it did not work because I added this line in.config/lxc/default.conf
instead. By the way, I noticed a configuration likelxc.mount.entry = /dev/net dev/net none bind,create=dir
(from wiki.archlinux.org/index.php/…) works also. Is this solution better thanlxc.mount.entry = /dev/net/tun dev/net/tun none bind,create=file
from your answer? Creating the file seems not needed.