[SOLVED] PVE v4.4 OpenVPN apparmor DENIED

N

naisanza

Member
Aug 11, 2016
31
1
6
PVE: 4.4
Image: Ubuntu 16.10


I'm following the tutorial for setting up OpenVPN, here: https://hungred.com/how-to/setup-openvpn-on-proxmox-lxc/. This worked just fine in PVE 4.2, and have set up 3 OpenVPN servers this way, but it no loger seems to work in PVE 4.4

I've added to /etc/pve/lxc/120.conf:
Code: 
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

dmesg log:
Code: 
[2053374.497576] audit: type=1400 audit(1488740049.904:149): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default-cgns" name="/" pid=8577 comm="(openvpn)" flags="rw, rslave"

openvpn service status after start:
Code: 
* openvpn.service - OpenVPN service                                                            
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset: enabled)        
Active: active (exited) since Sun 2017-03-05 19:04:29 UTC; 1min 44s ago                    
Process: 506 ExecStart=/bin/true (code=exited, status=0/SUCCESS)                           
Main PID: 506 (code=exited, status=0/SUCCESS)                                                  
Tasks: 0 (limit: 4915)                                                                     
CGroup: /system.slice/openvpn.service                                                                                                                                                 
Mar 05 19:04:29 vpn04-world3 systemd[1]: Starting OpenVPN service...                        
Mar 05 19:04:29 vpn04-world3 systemd[1]: Started OpenVPN service.                           
Mar 05 19:04:29 vpn04-world3 systemd[1]: openvpn.service: Failed to reset devices.list: Opera

/etc/pve/lxc/120.conf:
Code: 
root@world:~# cat /etc/pve/lxc/120.conf
arch: amd64
cores: 8
hostname: vpn04-world3
memory: 512
net0: name=eth0,bridge=vmbr3,hwaddr=92:B3:C8:A1:DC:41,ip=dhcp,type=veth
ostype: ubuntu
rootfs: containers:subvol-120-disk-1,size=8G
swap: 512
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

/var/lib/lxc/120/config:
Code: 
root@world:~# cat /var/lib/lxc/120/config
lxc.arch = amd64
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.monitor.unshare = 1
lxc.tty = 2
lxc.environment = TERM=linux
lxc.utsname = vpn04-world3
lxc.cgroup.memory.limit_in_bytes = 536870912
lxc.cgroup.memory.memsw.limit_in_bytes = 1073741824
lxc.cgroup.cpu.shares = 1024
lxc.rootfs = /var/lib/lxc/120/rootfs
lxc.network.type = veth
lxc.network.veth.pair = veth120i0
lxc.network.hwaddr = 92:B3:C8:A1:DC:41
lxc.network.name = eth0
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
lxc.cgroup.cpuset.cpus = 0-7
 
Last edited:
The apparmor error does not seem to affect running OpenVPN. the service is able to run and create a listening socket
 
Just tried the same way,
but container does not start,
so, I removed
Code: 
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

rebooted container and tried it inside container:
it says:
Code: 
# modprobe tun
modprobe: ERROR: ../libkmod/libkmod.c:586 kmod_search_moddep() could not open moddep file '/lib/modules/4.4.40-1-pve/modules.dep.bin'
modprobe: FATAL: Module tun not found in directory /lib/modules/4.4.40-1-pve

is it require to enable somehow "tun" module in proxmox host?


Thanks
 
Eugene Piatenko said:
Just tried the same way,
but container does not start,
Click to expand...

Did you add the lines to /etc/pve/lxc/<container>.conf?
Did you create it as a Privileged Container?

I think you can add it to the container.conf in either of the ways below (either with a "=" or a ":") and both ways still creates a /var/lib/lxc/container/config that works

Code: 
lxc.cgroup.devices.allow = c 10:200 rwm
lxc.hook.autodev = sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"

Code: 
lxc.cgroup.devices.allow: c 10:200 rwm
lxc.hook.autodev: sh -c "modprobe tun; cd ${LXC_ROOTFS_MOUNT}/dev; mkdir net; mknod net/tun c 10 200; chmod 0666 net/tun"
 
You must log in or register to reply here.
Top Bottom