1

I have been trying to get OpenVPN working in a LXD-managed LXC container on Ubuntu 16.04. I have added the tun device to the container config via lxc config edit container and it is properly created. I have run 

lxc config set mycontainer raw.lxc 'lxc.cgroup.devices.allow = c 10:200 rwm'

and it shows up in the container config, but I when I run

systemctl start [email protected]

I get this in my error log:

Jul 13 09:52:56 lb systemd[1]: Failed to reset devices.list on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Failed to set devices.allow on /system.slice/system-openvpn.slice/[email protected]: Operation not permitted
Jul 13 09:52:56 lb systemd[1]: Starting OpenVPN connection to server...
-- Subject: Unit [email protected] has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit [email protected] has begun starting up.
Jul 13 09:52:56 lb systemd[1]: Failed to reset devices.list on /system.slice/ondemand.service: Operation not permitted

Here is my container config:

$ lxc config show --expanded lb
name: lb
profiles:
- default
config:
  raw.lxc: lxc.cgroup.devices.allow = c 10:200 rwm
  volatile.base_image: f452cda3bccb2903e56d53e402b9d35334b4276783d098a879be5d74b04e62e2
  volatile.eth0.hwaddr: xx:xx:xx:xx:xx:xx
  volatile.eth1.name: eth1
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":231072,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":165536,"Nsid":0,"Maprange":65536}]'
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  eth1:
    hwaddr: xx:xx:xx:xx:xx:xx
    nictype: bridged
    parent: lxdbr1
    type: nic
  root:
    path: /
    type: disk
  tun:
    path: /dev/net/tun
    type: unix-char
ephemeral: false

And the files in /dev/net:

$ ll /dev/net
total 0
drwxr-xr-x 2 root root      60 Jul 13 09:36 ./
drwxr-xr-x 9 root root     480 Jul 13 09:36 ../
crw-rw-rw- 1 root root 10, 200 Jul 13 09:36 tun
Quentin Skousen
  • 247
  • 2
  • 5
  • 15
  • Already asked & answered. Check [this answer](http://askubuntu.com/questions/650471/how-do-i-allow-dev-net-tun-in-a-lxd-managed-lxc-container). – OttoEisen Jul 13 '16 at 17:36
  • @OttoEisen Thanks but I have already tried what was suggested in that answer. I put the tun device in directly via the config instead of using the command, but as you can see from the `config show` output, the result was the same. – Quentin Skousen Jul 13 '16 at 17:52
  • "via the config" meaning I used `lxc config edit container` – Quentin Skousen Jul 13 '16 at 18:05
  • 1
    Possible duplicate of [Systemd fails to start openvpn in lxd managed 16.04 container](http://askubuntu.com/questions/747023/systemd-fails-to-start-openvpn-in-lxd-managed-16-04-container) – Quentin Skousen Jul 22 '16 at 21:08

1 Answers1

1

You still have a raw.lxc object. And according to the poster (see Edit1) he did exactly the same, didn't work, used "device add" and it worked. Give it a try...

Community
  • 1
OttoEisen
  • 766
  • 1
  • 6
  • 22
  • OttoEisen - Your fix didn't make any change, but led me through a Google seach to http://askubuntu.com/q/747023/124222 and the answer there solved my question! So, you got me there in the end... Thanks! – Quentin Skousen Jul 13 '16 at 19:50
  • I guess I should probably delete this question since it has already been answered there... Or should I leave it up to make it easier to find on search? – Quentin Skousen Jul 13 '16 at 19:52
  • 1
    There is a way to mark questions as duplicate. Then you get a notification at the top with a link to the already answered question, but I'm not sure how that works. Maybe "Flag" but that sounds so serious... Also: Thanks for the accept. – OttoEisen Jul 15 '16 at 00:00