[SOLVED] PVE v4.4 OpenVPN apparmor DENIED

naisanza

Member
Aug 11, 2016
31
1
6
PVE: 4.4
Image: Ubuntu 16.10


I'm following the tutorial for setting up OpenVPN, here: https://hungred.com/how-to/setup-openvpn-on-proxmox-lxc/. This worked just fine in PVE 4.2, and have set up 3 OpenVPN servers this way, but it no loger seems to work in PVE 4.4

I've added to /etc/pve/lxc/120.conf:
Code:
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

dmesg log:
Code:
[2053374.497576] audit: type=1400 audit(1488740049.904:149): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=8577 comm="(openvpn)" flags="rw, rslave"

openvpn service status after start:
Code:
* openvpn.service - OpenVPN service                                                            
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)        
Active: active (exited) since Sun 2017-03-05 19:04:29 UTC; 1min 44s ago                    
Process: 506 ExecStart=/bin/true (code=exited, status=0/SUCCESS)                           
Main PID: 506 (code=exited, status=0/SUCCESS)                                                  
Tasks: 0 (limit: 4915)                                                                     
CGroup: /system.slice/openvpn.service                                                                                                                                                 
Mar 05 19:04:29 vpn04-world3 systemd[1]: Starting OpenVPN service...                        
Mar 05 19:04:29 vpn04-world3 systemd[1]: Started OpenVPN service.                           
Mar 05 19:04:29 vpn04-world3 systemd[1]: openvpn.service: Failed to reset devices.list: Opera

/etc/pve/lxc/120.conf:
Code:
root@world:~# cat /etc/pve/lxc/120.conf
arch: amd64
cores: 8
hostname: vpn04-world3
memory: 512
net0: name=eth0,bridge=vmbr3,hwaddr=92:B3:C8:A1:DC:41,ip=dhcp,type=veth
ostype: ubuntu
rootfs: containers:subvol-120-disk-1,size=8G
swap: 512
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

/var/lib/lxc/120/config:
Code:
root@world:~# cat /var/lib/lxc/120/config
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.monitor.unshare = 1
lxc.tty = 2
lxc.environment = TERM=linux
lxc.utsname = vpn04-world3
lxc.cgroup.memory.limit_in_bytes = 536870912
lxc.cgroup.memory.memsw.limit_in_bytes = 1073741824
lxc.cgroup.cpu.shares = 1024
lxc.rootfs = /var/lib/lxc/120/rootfs
lxc.network.type = veth
lxc.network.veth.pair = veth120i0
lxc.network.hwaddr = 92:B3:C8:A1:DC:41
lxc.network.name = eth0
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
lxc.cgroup.cpuset.cpus = 0-7
 
Last edited:
The apparmor error does not seem to affect running OpenVPN. the service is able to run and create a listening socket
 
Just tried the same way,
but container does not start,
so, I removed
Code:
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

rebooted container and tried it inside container:
it says:
Code:
# modprobe tun
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.4.40-1-pve/modules.dep.bin'
modprobe: FATAL: Module tun not found in directory /lib/modules/4.4.40-1-pve

is it require to enable somehow "tun" module in proxmox host?


Thanks
 
Just tried the same way,
but container does not start,

Did you add the lines to /etc/pve/lxc/<container>.conf?
Did you create it as a Privileged Container?

I think you can add it to the container.conf in either of the ways below (either with a "=" or a ":") and both ways still creates a /var/lib/lxc/container/config that works

Code:
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

Code:
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!