[SOLVED] PPP on multiple containers not working

Shane Kindermans

Active Member
Mar 29, 2019
3
0
41
33
Hi,

I am trying to get PPPoE running on multiple containers. I have it running on my first container without any issues. Getting it up and running on the second one gives issues.

My initial setup for container 1:

Loaded the following modules on the host server and added them to /etc/modules.
modprobe tun
modprobe ppp-compress-18
modprobe ppp_mppe
modprobe ppp_deflate
modprobe ppp_async
modprobe pppoatm
modprobe ppp_generic

I added the following statement to the container config file under /var/lib/lxc/ct1/config
lxc.cgroup.devices.allow = c 108:0 rwm
This allows the use of /dev/ppp

Via a startup script I create the /dev/ppp device as it isn't auto created at boot.
mknod /dev/ppp c 108 0

All of this works fine, now adding the same allow statement to a second container config file doesn't work well as this lxc.cgroup.devices.allow line disappears after every reboot. I have created a 3rd container to check and there I have the same issue. Shutting down the first container also doens't help to get it running on the 2nd or 3rd container.
This results in following log under /var/log/pppd.log:
Couldn't open the /dev/ppp device: Operation not permitted
pppd: Sorry - this system lacks PPP kernel support

I am running Proxmox VE 5.3-11

Any help or insight on why this happens is highly appreciated!

Thanks,
Shane
 
Last edited:
hi.

I added the following statement to the container config file under /var/lib/lxc/ct1/config
that's the first mistake. config edits should be done in /etc/pve/lxc/CTID.conf or they won't be persistent.
that's probably why your stuff is disappearing from the container configs after reboot.

lxc.cgroup.devices.allow = c 108:0 rwm
also i think that may not be needed.

Code:
lxc.cap.keep = net_admin
lxc.mount.entry: /dev/ppp dev/ppp none bind,create=file
at the end of the container config should be enough.

also if your containers are unprivileged, you'll want to set the owner:group correctly outside of the host, since otherwise it'll have nobody:nobody and won't work[0].

Loaded the following modules on the host server and added them to /etc/modules.
modprobe tun
modprobe ppp-compress-18
modprobe ppp_mppe
modprobe ppp_deflate
modprobe ppp_async
modprobe pppoatm
modprobe ppp_generic

also idk if these ones are necessary. which guide are you following? maybe it's old.

[0]: https://forum.proxmox.com/threads/unprivileged-lxc-with-ppp.51928/#post-241213
 
Hi Oguz,

Thanks for the quick response!

that's the first mistake. config edits should be done in /etc/pve/lxc/CTID.conf or they won't be persistent.
that's probably why your stuff is disappearing from the container configs after reboot.
That is exactly what was going wrong and what I was overlooking.

Code:
lxc.cap.keep = net_admin
lxc.mount.entry: /dev/ppp dev/ppp none bind,create=file

With the cap.keep my container won't boot no more and with the mount entry the /dev/ppp still gives Operation not permitted.
On the other hand adding lxc.cgroup.devices.allow = c 108:0 rwm to the config file makes my PPPoE connection work.

which guide are you following? maybe it's old.
I was following my own guide that I made after getting my first container up and running. Aparantly I made some mistakes in there.
I was asking myself the wrong questions as it looked like proxmox was not able to share /dev/ppp of the host between containers which it definitely can now.

Thanks for the help!
Shane
 
hi.

With the cap.keep my container won't boot no more and with the mount entry the /dev/ppp still gives Operation not permitted.

i think the "Operation not permitted" appears because /dev/ppp needs CAP_NET_ADMIN and those won't be transferred into an unprivileged container normally. can you run `getcap /dev/ppp` to see if it has the capabilities needed? also the user:group might be causing the permission denied.

but if everything works now, you can just leave it as is.

Thanks for the help!
you're very welcome. you can mark this thread [SOLVED] if you edit your first post.
 
Hi Oguz,

i think the "Operation not permitted" appears because /dev/ppp needs CAP_NET_ADMIN and those won't be transferred into an unprivileged container normally. can you run `getcap /dev/ppp` to see if it has the capabilities needed? also the user:group might be causing the permission denied.

The getcap /dev/ppp returns nothing for me, also I am running privileged containers. user:group is root:root for me.
I will leave it as is for now. It's working perfect for me.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!