tun devices in ve 4 (lxc)

Discussion in 'Proxmox VE: Installation and configuration' started by gimpbully, Sep 4, 2015.

  1. gimpbully

    gimpbully New Member

    Joined:
    Aug 7, 2015
    Messages:
    17
    Likes Received:
    0
    What is the 'proxmox way' of adding a tun device to an lxc container on boot?

    I tried putting "lxc.cgroup.devices.allow = c 10:200 rwm" in the config for the container, but the gui was pretty upset about that, said it was an invalid key. I currently have a mknod stuffed in the openvpn init script of the container, but I'm hoping there's a far cleaner way.
     
  2. dietmar

    dietmar Proxmox Staff Member
    Staff Member

    Joined:
    Apr 28, 2005
    Messages:
    16,450
    Likes Received:
    308
    We recently changed the configuration parser, and the new one allows you to add that. Code is in git ...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. QuaxEros

    QuaxEros New Member

    Joined:
    Oct 13, 2014
    Messages:
    1
    Likes Received:
    0
    Adding "lxc.cgroup.devices.allow = c 10:200 rwm" to the containers config file (or ~lxc/CTID.conf) didn't work for me neither.
    I had to start an lxc.hook script (thanks to heider.io! blogpost >
    heider.io/blog/2013/10/26/openvpn-in-a-lxc-container )
    Like this:
    For this, create a script named autodev in /var/lib/lxc/yourcontainer/[TABLE]
    [TR]
    [TD="class: gutter"]1
    2
    3
    4
    5
    6[/TD]
    [TD="class: code"]#!/bin/bash

    cd ${LXC_ROOTFS_MOUNT}/dev
    mkdir net
    mknod net/tun c 10 200
    chmod 0666 net/tun[/TD]
    [/TR]
    [/TABLE]

    and make it executable:[TABLE]
    [TR]
    [TD="class: gutter"]1[/TD]
    [TD="class: code"]chmod +x autodev[/TD]
    [/TR]
    [/TABLE]

    Then add this[TABLE]
    [TR]
    [TD="class: gutter"]1
    2
    3
    4[/TD]
    [TD="class: code"]lxc.hook.autodev=/var/lib/lxc/yourcontainer/autodev
    (or for Proxmox CTID.conf - lxc.hook.autodev: /var/lib/lxc/yourcontainer/autodev )

    # /dev/net/tun
    lxc.cgroup.devices.allow = c 10:200 rwm
    (or for Proxmox CTID.conf - lxc.cgroup.devices.allow: c 10:200 rwm )[/TD]
    [/TR]
    [/TABLE]

    to /var/lib/lxc/yourcontainer/config.
    or to /etc/pve/~lxc/yourcontainer.conf for Proxmox 4.x
     
  4. z0mt3c

    z0mt3c New Member

    Joined:
    Nov 3, 2015
    Messages:
    1
    Likes Received:
    0
    Thanks ;-)
     
  5. eth

    eth Member

    Joined:
    Feb 24, 2016
    Messages:
    50
    Likes Received:
    1
    Warning!!! Do not use this solution - it will cause your proxmox to break - you will loose SSH access to your system.
    For some reason using autodev causes a bug to appear: https://forum.proxmox.com/threads/pct-start-killed-my-whole-proxmox-server-again.26468/
     
  6. eth

    eth Member

    Joined:
    Feb 24, 2016
    Messages:
    50
    Likes Received:
    1
    I found a solution how to do a clean start of openvpn inside LXC.

    First, in proxmox, alter /etc/pve/lxc/[ID].conf where ID is the ID of your LXC
    Code:
    cat >> /etc/pve/lxc/[ID].conf << EOL
    lxc.cgroup.devices.allow = c 10:200 rwm
    EOL
    
    OR!!! If you want to set this option automatically for ALL LXC containers, do:
    Code:
    cat > /usr/share/lxc/config/common.conf.d/02-openvpn.conf << EOL
    lxc.cgroup.devices.allow = c 10:200 rwm
    EOL
    
    Then inside the lxc:

    Code:
    cat >> /etc/rc.local << EOL
    if ! [ -d /dev/net ];then
    mkdir /dev/net
    fi
    if ! [ -c /dev/net/tun ]; then
    mknod /dev/net/tun c 10 200
    chmod 666 /dev/net/tun
    fi
    EOL
    
    Then restart the lxc (pct shutdown [id], pct start [id]).
    After that you can cleanly start openvpn. It might not start on boot through /etc/init.d/openvpn, because /etc/rc.local is processed after all scripts have finished booting, so start openvpn manually or through monit.
     
    #6 eth, Mar 12, 2016
    Last edited: Mar 12, 2016
    Daniel Hunsaker likes this.
  7. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,207
    Likes Received:
    498
    That openvpn script probably interfered with our own autodev hook. Your workaround seems to work, but be careful what device nodes you allow your container to create and use, because you might create security risks there.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. eth

    eth Member

    Joined:
    Feb 24, 2016
    Messages:
    50
    Likes Received:
    1
    Nope. Tried this on a new proxmox machine. Died.

    Code:
    root@pve2:~# cat > /usr/share/lxc/config/common.conf.d/02-openvpn.conf << EOL
    > lxc.cgroup.devices.allow = c 10:200 rwm
    > EOL
    root@pve2:~#
    root@pve2:~#
    root@pve2:~#
    root@pve2:~#
    root@pve2:~# pct start 103
    (long wait)
    
    And we're gone at this point (https://forum.proxmox.com/threads/pct-start-killed-my-whole-proxmox-server-again.26468/). Proxmox is dead and needs a reboot. This is a really weird bug.
     
  9. pascal

    pascal New Member

    Joined:
    Dec 21, 2015
    Messages:
    8
    Likes Received:
    1
    I just started using LXC containers on a test node and also wanted to get an OpenVPN server started on CentOS 7. I tried using the solution offered by "eth" and while my proxmox doesn't lock up I can't get the /dev/net/tun device to show up in the container.
    Code:
    root@pve:~# pveversion
    pve-manager/4.1-1/2f9650d4 (running kernel: 4.2.6-1-pve)
    
    root@pve:~# cat /usr/share/lxc/config/common.conf.d/02-openvpn.conf
    lxc.cgroup.devices.allow = c 10:200 rwm
    
    root@pve:~# vi /var/log/messages
    ....
    Apr 20 16:31:05 pve pct[4893]: <root@pam> starting task UPID:pve:00001322:0004F406:571792A9:vzstart:222:root@pam:
    Apr 20 16:31:06 pve kernel: [ 3246.933757] EXT4-fs (loop2): mounted filesystem with ordered data mode. Opts: (null)
    Apr 20 16:31:06 pve kernel: [ 3246.970314] IPv6: ADDRCONF(NETDEV_UP): veth222i0: link is not ready
    Apr 20 16:31:07 pve kernel: [ 3247.673211] device veth222i0 entered promiscuous mode
    Apr 20 16:31:07 pve kernel: [ 3247.719272] eth0: renamed from vethUX7Y8C
    Apr 20 16:31:07 pve pct[4893]: <root@pam> end task UPID:pve:00001322:0004F406:571792A9:vzstart:222:root@pam: OK
    Apr 20 16:31:07 pve kernel: [ 3247.832929] audit: type=1400 audit(1461162667.473:31): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/" pid=4945 comm="systemd" flags="ro, nosuid, nodev, noexec, remount, strictatime"
    Apr 20 16:31:07 pve kernel: [ 3248.003540] audit: type=1400 audit(1461162667.641:32): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=5130 comm="mount" flags="rw, remount"
    Apr 20 16:31:08 pve kernel: [ 3248.494853] audit: type=1400 audit(1461162668.133:33): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=5301 comm="(openvpn)" flags="rw, rslave"
    Apr 20 16:31:08 pve kernel: [ 3248.803830] IPv6: ADDRCONF(NETDEV_CHANGE): veth222i0: link becomes ready
    Apr 20 16:31:08 pve kernel: [ 3248.803873] vmbr0: port 4(veth222i0) entered forwarding state
    Apr 20 16:31:08 pve kernel: [ 3248.803895] vmbr0: port 4(veth222i0) entered forwarding state
    
    Edit: Nevermind, for some reason the rc.local just isn't executed (it has +x). If I manually create the dir and mknod it works after restarting the ovpn service.
     
    #9 pascal, Apr 20, 2016
    Last edited: Apr 21, 2016
  10. Daniel Hunsaker

    Daniel Hunsaker New Member

    Joined:
    Aug 14, 2013
    Messages:
    5
    Likes Received:
    0
    Check your rc.local file. There's probably an exit 0 in there, before the code to create the tun node, which you'll want to move to the bottom of the file instead. That should fix the issue.
     
  11. naisanza

    naisanza Member

    Joined:
    Aug 11, 2016
    Messages:
    31
    Likes Received:
    1
    The /etc/rc.local script does not work with restarting the openvpn service after creating the tunnel

    Code:
    cd /dev
    mkdir net
    mknod net/tun c 10 200
    chmod 0666 net/tun
    
    service openvpn restart
    
    exit 0
    
     
  12. naisanza

    naisanza Member

    Joined:
    Aug 11, 2016
    Messages:
    31
    Likes Received:
    1
    I just have a while loop running when the container restarts, it seems to work pretty well for me right now

    Code:
    #!/bin/bash
    
    # Restart openvpn on reboot
    
    while true; do
            ps -ef| grep -v grep | grep /etc/openvpn/server.conf 2>/dev/null >/dev/null
            if [ ! "$?" == 0 ]; then
                    echo "[*] Restarting OpenVPN service..."
                    service openvpn restart
                    sleep 1
            else
                    echo "[*] OpenVPN service running..."
                    break
            fi
    done
    
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice