subject:"\[lxc\-users\] OpenVPN in Debian Jessie container"

Re: [lxc-users] OpenVPN in Debian Jessie container

2016-05-30 Thread Serge E. Hallyn

On Mon, May 30, 2016 at 09:04:26AM -0600, Joshua Schaeffer wrote:
> >For starters, from "man lxc.container.conf"
> >
> >lxc.hook.autodev
> >   A hook to be run in the container's namespace after mounting
> >   has been done and after any mount hooks have run, but before
> >   the pivot_root, if lxc.autodev == 1.
> >
> >You can never modprobe in unprivileged container's namespace.
> >
> >Another thing, AFAIK the hooks only accepts one parameter: a script name. So 
> >you need to have a script (e.g. /usr/local/bin/my_script) inside the 
> >container.
> >
> I actually tried that already as well and it resulted in the exact same error:
> 
> lxc.autodev = 1
> lxc.hook.autodev = /home/lxcuser/.local/share/lxc/autodev/vpn_barracks
> lxc.cgroup.devices.deny = a
> lxc.cgroup.devices.allow = c 10:200 rwm
> 
> lxcuser@corsair:~/.local/share/lxc$ cat autodev/vpn_barracks
> #!/bin/bash
> cd ${LXC_ROOTFS_MOUNT}/dev
> mkdir net
> mknod net/tun c 10 200

This script runs as your unprivileged user, so you cannot mknod.
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] OpenVPN in Debian Jessie container

2016-05-30 Thread Joshua Schaeffer


For starters, from "man lxc.container.conf"

lxc.hook.autodev
   A hook to be run in the container's namespace after mounting
   has been done and after any mount hooks have run, but before
   the pivot_root, if lxc.autodev == 1.

You can never modprobe in unprivileged container's namespace.

Another thing, AFAIK the hooks only accepts one parameter: a script name. So 
you need to have a script (e.g. /usr/local/bin/my_script) inside the container.


I actually tried that already as well and it resulted in the exact same error:

lxc.autodev = 1
lxc.hook.autodev = /home/lxcuser/.local/share/lxc/autodev/vpn_barracks
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 10:200 rwm

lxcuser@corsair:~/.local/share/lxc$ cat autodev/vpn_barracks
#!/bin/bash
cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

lxc-start -n vpn_barracks --logpriority=DEBUG

...
lxc-start 1464620477.814 INFO lxc_conf - conf.c:run_script_argv:362 - 
Executing script '/usr/share/lxcfs/lxc.mount.hook' for container 
'vpn_barracks', config section 'lxc'
  lxc-start 1464620477.893 INFO lxc_conf - conf.c:run_script_argv:362 - 
Executing script '/home/lxcuser/.local/share/lxc/autodev/vpn_barracks' for 
container 'vpn_barracks', config section 'lxc'
  lxc-start 1464620477.900 ERRORlxc_conf - conf.c:run_buffer:342 - 
Script exited with status 1
  lxc-start 1464620477.900 ERRORlxc_conf - conf.c:lxc_setup:3947 - 
failed to run autodev hooks for container 'vpn_barracks'.
  lxc-start 1464620477.900 ERRORlxc_start - start.c:do_start:717 - 
failed to setup the container
  lxc-start 1464620477.900 ERRORlxc_sync - sync.c:__sync_wait:51 - 
invalid sequence number 1. expected 2
  lxc-start 1464620477.942 ERRORlxc_start - start.c:__lxc_start:1192 - 
failed to spawn 'vpn_barracks'
  lxc-start 1464620477.998 WARN lxc_commands - 
commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive 
response
  lxc-start 1464620477.999 WARN lxc_cgmanager - cgmanager.c:cgm_get:994 
- do_cgm_get exited with error
  lxc-start 1464620483.004 ERRORlxc_start_ui - lxc_start.c:main:344 - 
The container failed to start.
  lxc-start 1464620483.004 ERRORlxc_start_ui - lxc_start.c:main:346 - 
To get more details, run the container in foreground mode.
  lxc-start 1464620483.004 ERRORlxc_start_ui - lxc_start.c:main:348 - 
Additional information can be obtained by setting the --logfile and 
--logpriority options.

Since the error was exactly the same I figured LXC was simply executing 
whatever parameter lxc.hook.autodev was provided, regardless of whether it was 
a file or not.


My best advice is to bind-mount /dev/net/tun from the host (lxc.mount.entry) instead 
of using lxc.hook.autodev, and try again. I"m not even sure that /dev/net/tun 
works for unpriv containers (fuse doesn't), so if that still doesn't work, you 
probably want to try privileged container.



Okay, thanks, I'll try this, especially after Wojtek's comments saying this 
should work.

Thanks,
Joshua

___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] OpenVPN in Debian Jessie container

2016-05-30 Thread Wojtek Swiatek

On Mon, May 30, 2016 at 7:20 AM Fajar A. Nugraha  wrote:

> On Mon, May 30, 2016 at 12:05 AM, Joshua Schaeffer <
> jschaeffer0...@gmail.com> wrote:
>
>>  I"m not even sure that /dev/net/tun works for unpriv containers (fuse
>> doesn't), so if that still doesn't work, you probably want to try
>> privileged container.
>
>
I have exactly the same setup so it works. I will try to recall what I did
to set up tun0 (I had the same error) and be back.

Wojtek
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] OpenVPN in Debian Jessie container

2016-05-29 Thread Fajar A. Nugraha

On Mon, May 30, 2016 at 12:05 AM, Joshua Schaeffer  wrote:

> I'm trying to setup OpenVPN in an unprivileged container. The host and
> container are both Debian Jessie on LXC version 1.1.5. When I try to start
> OpenVPN I get:
>
> Sat May 28 20:55:57 2016 us=360137 ERROR: Cannot open TUN/TAP dev
> /dev/net/tun: No such file or directory (errno=2)
>
> So it makes sense that the container can't create the tun device so I
> looked around and found suggestions to add an autodev hook:
>
> lxc.cgroup.devices.deny = a
> lxc.cgroup.devices.allow = c 10:200 rwm
> lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir
> net; mknod net/tun c 10 200; chmod 0666 net/tun"
>
>

For starters, from "man lxc.container.conf"

lxc.hook.autodev
  A hook to be run in the container's namespace after mounting
  has been done and after any mount hooks have run, but before
  the pivot_root, if lxc.autodev == 1.

You can never modprobe in unprivileged container's namespace.

Another thing, AFAIK the hooks only accepts one parameter: a script name.
So you need to have a script (e.g. /usr/local/bin/my_script) inside the
container.

My best advice is to bind-mount /dev/net/tun from the host
(lxc.mount.entry) instead of using lxc.hook.autodev, and try again. I"m not
even sure that /dev/net/tun works for unpriv containers (fuse doesn't), so
if that still doesn't work, you probably want to try privileged container.

-- 
Fajar
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

[lxc-users] OpenVPN in Debian Jessie container

2016-05-29 Thread Joshua Schaeffer


I'm trying to setup OpenVPN in an unprivileged container. The host and 
container are both Debian Jessie on LXC version 1.1.5. When I try to start 
OpenVPN I get:

Sat May 28 20:55:57 2016 us=360137 ERROR: Cannot open TUN/TAP dev /dev/net/tun: 
No such file or directory (errno=2)

So it makes sense that the container can't create the tun device so I looked 
around and found suggestions to add an autodev hook:

lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod 
net/tun c 10 200; chmod 0666 net/tun"

However when I try to start the container I get an error:

lxc-start -n vpn_barracks --logpriority=DEBUG

...
  lxc-start 1464541270.246 INFO lxc_conf - 
conf.c:mount_file_entries:2150 - mount points have been setup
  lxc-start 1464541270.247 INFO lxc_conf - conf.c:run_script_argv:362 - 
Executing script '/usr/share/lxcfs/lxc.mount.hook' for container 
'vpn_barracks', config section 'lxc'
  lxc-start 1464541270.332 INFO lxc_conf - conf.c:run_script_argv:362 - Executing 
script 'sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 
10 200; chmod 0666 net/tun"' for container 'vpn_barracks', config section 'lxc'
  lxc-start 1464541270.338 ERRORlxc_conf - conf.c:run_buffer:342 - 
Script exited with status 1
  lxc-start 1464541270.338 ERRORlxc_conf - conf.c:lxc_setup:3947 - 
failed to run autodev hooks for container 'vpn_barracks'.
  lxc-start 1464541270.338 ERRORlxc_start - start.c:do_start:717 - 
failed to setup the container
  lxc-start 1464541270.338 ERRORlxc_sync - sync.c:__sync_wait:51 - 
invalid sequence number 1. expected 2
  lxc-start 1464541270.374 ERRORlxc_start - start.c:__lxc_start:1192 - 
failed to spawn 'vpn_barracks'
  lxc-start 1464541270.430 WARN lxc_commands - 
commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive 
response
  lxc-start 1464541270.431 WARN lxc_cgmanager - cgmanager.c:cgm_get:994 
- do_cgm_get exited with error
  lxc-start 1464541275.436 ERRORlxc_start_ui - lxc_start.c:main:344 - 
The container failed to start.
  lxc-start 1464541275.436 ERRORlxc_start_ui - lxc_start.c:main:346 - 
To get more details, run the container in foreground mode.
  lxc-start 1464541275.436 ERRORlxc_start_ui - lxc_start.c:main:348 - 
Additional information can be obtained by setting the --logfile and 
--logpriority options.

I'd appreciate any pointers.

Thanks,
Joshua
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Re: [lxc-users] OpenVPN in Debian Jessie container

Re: [lxc-users] OpenVPN in Debian Jessie container

Re: [lxc-users] OpenVPN in Debian Jessie container

Re: [lxc-users] OpenVPN in Debian Jessie container

[lxc-users] OpenVPN in Debian Jessie container

5 matches

Site Navigation

Mail list logo

Footer information