Re: [lxc-users] OpenVPN in Debian Jessie container
On Mon, May 30, 2016 at 09:04:26AM -0600, Joshua Schaeffer wrote: > >For starters, from "man lxc.container.conf" > > > >lxc.hook.autodev > > A hook to be run in the container's namespace after mounting > > has been done and after any mount hooks have run, but before > > the pivot_root, if lxc.autodev == 1. > > > >You can never modprobe in unprivileged container's namespace. > > > >Another thing, AFAIK the hooks only accepts one parameter: a script name. So > >you need to have a script (e.g. /usr/local/bin/my_script) inside the > >container. > > > I actually tried that already as well and it resulted in the exact same error: > > lxc.autodev = 1 > lxc.hook.autodev = /home/lxcuser/.local/share/lxc/autodev/vpn_barracks > lxc.cgroup.devices.deny = a > lxc.cgroup.devices.allow = c 10:200 rwm > > lxcuser@corsair:~/.local/share/lxc$ cat autodev/vpn_barracks > #!/bin/bash > cd ${LXC_ROOTFS_MOUNT}/dev > mkdir net > mknod net/tun c 10 200 This script runs as your unprivileged user, so you cannot mknod. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] OpenVPN in Debian Jessie container
For starters, from "man lxc.container.conf" lxc.hook.autodev A hook to be run in the container's namespace after mounting has been done and after any mount hooks have run, but before the pivot_root, if lxc.autodev == 1. You can never modprobe in unprivileged container's namespace. Another thing, AFAIK the hooks only accepts one parameter: a script name. So you need to have a script (e.g. /usr/local/bin/my_script) inside the container. I actually tried that already as well and it resulted in the exact same error: lxc.autodev = 1 lxc.hook.autodev = /home/lxcuser/.local/share/lxc/autodev/vpn_barracks lxc.cgroup.devices.deny = a lxc.cgroup.devices.allow = c 10:200 rwm lxcuser@corsair:~/.local/share/lxc$ cat autodev/vpn_barracks #!/bin/bash cd ${LXC_ROOTFS_MOUNT}/dev mkdir net mknod net/tun c 10 200 chmod 0666 net/tun lxc-start -n vpn_barracks --logpriority=DEBUG ... lxc-start 1464620477.814 INFO lxc_conf - conf.c:run_script_argv:362 - Executing script '/usr/share/lxcfs/lxc.mount.hook' for container 'vpn_barracks', config section 'lxc' lxc-start 1464620477.893 INFO lxc_conf - conf.c:run_script_argv:362 - Executing script '/home/lxcuser/.local/share/lxc/autodev/vpn_barracks' for container 'vpn_barracks', config section 'lxc' lxc-start 1464620477.900 ERRORlxc_conf - conf.c:run_buffer:342 - Script exited with status 1 lxc-start 1464620477.900 ERRORlxc_conf - conf.c:lxc_setup:3947 - failed to run autodev hooks for container 'vpn_barracks'. lxc-start 1464620477.900 ERRORlxc_start - start.c:do_start:717 - failed to setup the container lxc-start 1464620477.900 ERRORlxc_sync - sync.c:__sync_wait:51 - invalid sequence number 1. expected 2 lxc-start 1464620477.942 ERRORlxc_start - start.c:__lxc_start:1192 - failed to spawn 'vpn_barracks' lxc-start 1464620477.998 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive response lxc-start 1464620477.999 WARN lxc_cgmanager - cgmanager.c:cgm_get:994 - do_cgm_get exited with error lxc-start 1464620483.004 ERRORlxc_start_ui - lxc_start.c:main:344 - The container failed to start. lxc-start 1464620483.004 ERRORlxc_start_ui - lxc_start.c:main:346 - To get more details, run the container in foreground mode. lxc-start 1464620483.004 ERRORlxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options. Since the error was exactly the same I figured LXC was simply executing whatever parameter lxc.hook.autodev was provided, regardless of whether it was a file or not. My best advice is to bind-mount /dev/net/tun from the host (lxc.mount.entry) instead of using lxc.hook.autodev, and try again. I"m not even sure that /dev/net/tun works for unpriv containers (fuse doesn't), so if that still doesn't work, you probably want to try privileged container. Okay, thanks, I'll try this, especially after Wojtek's comments saying this should work. Thanks, Joshua ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] OpenVPN in Debian Jessie container
On Mon, May 30, 2016 at 7:20 AM Fajar A. Nugrahawrote: > On Mon, May 30, 2016 at 12:05 AM, Joshua Schaeffer < > jschaeffer0...@gmail.com> wrote: > >> I"m not even sure that /dev/net/tun works for unpriv containers (fuse >> doesn't), so if that still doesn't work, you probably want to try >> privileged container. > > I have exactly the same setup so it works. I will try to recall what I did to set up tun0 (I had the same error) and be back. Wojtek ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] OpenVPN in Debian Jessie container
On Mon, May 30, 2016 at 12:05 AM, Joshua Schaefferwrote: > I'm trying to setup OpenVPN in an unprivileged container. The host and > container are both Debian Jessie on LXC version 1.1.5. When I try to start > OpenVPN I get: > > Sat May 28 20:55:57 2016 us=360137 ERROR: Cannot open TUN/TAP dev > /dev/net/tun: No such file or directory (errno=2) > > So it makes sense that the container can't create the tun device so I > looked around and found suggestions to add an autodev hook: > > lxc.cgroup.devices.deny = a > lxc.cgroup.devices.allow = c 10:200 rwm > lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir > net; mknod net/tun c 10 200; chmod 0666 net/tun" > > For starters, from "man lxc.container.conf" lxc.hook.autodev A hook to be run in the container's namespace after mounting has been done and after any mount hooks have run, but before the pivot_root, if lxc.autodev == 1. You can never modprobe in unprivileged container's namespace. Another thing, AFAIK the hooks only accepts one parameter: a script name. So you need to have a script (e.g. /usr/local/bin/my_script) inside the container. My best advice is to bind-mount /dev/net/tun from the host (lxc.mount.entry) instead of using lxc.hook.autodev, and try again. I"m not even sure that /dev/net/tun works for unpriv containers (fuse doesn't), so if that still doesn't work, you probably want to try privileged container. -- Fajar ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] OpenVPN in Debian Jessie container
I'm trying to setup OpenVPN in an unprivileged container. The host and container are both Debian Jessie on LXC version 1.1.5. When I try to start OpenVPN I get: Sat May 28 20:55:57 2016 us=360137 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2) So it makes sense that the container can't create the tun device so I looked around and found suggestions to add an autodev hook: lxc.cgroup.devices.deny = a lxc.cgroup.devices.allow = c 10:200 rwm lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun" However when I try to start the container I get an error: lxc-start -n vpn_barracks --logpriority=DEBUG ... lxc-start 1464541270.246 INFO lxc_conf - conf.c:mount_file_entries:2150 - mount points have been setup lxc-start 1464541270.247 INFO lxc_conf - conf.c:run_script_argv:362 - Executing script '/usr/share/lxcfs/lxc.mount.hook' for container 'vpn_barracks', config section 'lxc' lxc-start 1464541270.332 INFO lxc_conf - conf.c:run_script_argv:362 - Executing script 'sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"' for container 'vpn_barracks', config section 'lxc' lxc-start 1464541270.338 ERRORlxc_conf - conf.c:run_buffer:342 - Script exited with status 1 lxc-start 1464541270.338 ERRORlxc_conf - conf.c:lxc_setup:3947 - failed to run autodev hooks for container 'vpn_barracks'. lxc-start 1464541270.338 ERRORlxc_start - start.c:do_start:717 - failed to setup the container lxc-start 1464541270.338 ERRORlxc_sync - sync.c:__sync_wait:51 - invalid sequence number 1. expected 2 lxc-start 1464541270.374 ERRORlxc_start - start.c:__lxc_start:1192 - failed to spawn 'vpn_barracks' lxc-start 1464541270.430 WARN lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive response lxc-start 1464541270.431 WARN lxc_cgmanager - cgmanager.c:cgm_get:994 - do_cgm_get exited with error lxc-start 1464541275.436 ERRORlxc_start_ui - lxc_start.c:main:344 - The container failed to start. lxc-start 1464541275.436 ERRORlxc_start_ui - lxc_start.c:main:346 - To get more details, run the container in foreground mode. lxc-start 1464541275.436 ERRORlxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options. I'd appreciate any pointers. Thanks, Joshua ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users