tun devices in ve 4 (lxc)

gimpbully

New Member
Aug 7, 2015
17
0
1
What is the 'proxmox way' of adding a tun device to an lxc container on boot?

I tried putting "lxc.cgroup.devices.allow = c 10:200 rwm" in the config for the container, but the gui was pretty upset about that, said it was an invalid key. I currently have a mknod stuffed in the openvpn init script of the container, but I'm hoping there's a far cleaner way.
 

QuaxEros

New Member
Oct 13, 2014
1
0
1
France
Adding "lxc.cgroup.devices.allow = c 10:200 rwm" to the containers config file (or ~lxc/CTID.conf) didn't work for me neither.
I had to start an lxc.hook script (thanks to heider.io! blogpost >
heider.io/blog/2013/10/26/openvpn-in-a-lxc-container )
Like this:
For this, create a script named autodev in /var/lib/lxc/yourcontainer/
1
2
3
4
5
6
#!/bin/bash

cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

and make it executable:
1chmod +x autodev

Then add this
1
2
3
4
lxc.hook.autodev=/var/lib/lxc/yourcontainer/autodev
(or for Proxmox CTID.conf - lxc.hook.autodev: /var/lib/lxc/yourcontainer/autodev )

# /dev/net/tun
lxc.cgroup.devices.allow = c 10:200 rwm
(or for Proxmox CTID.conf - lxc.cgroup.devices.allow: c 10:200 rwm )

to /var/lib/lxc/yourcontainer/config.
or to /etc/pve/~lxc/yourcontainer.conf for Proxmox 4.x
 

eth

Member
Feb 24, 2016
50
1
8
33

eth

Member
Feb 24, 2016
50
1
8
33
I found a solution how to do a clean start of openvpn inside LXC.

First, in proxmox, alter /etc/pve/lxc/[ID].conf where ID is the ID of your LXC
Code:
cat >> /etc/pve/lxc/[ID].conf << EOL
lxc.cgroup.devices.allow = c 10:200 rwm
EOL
OR!!! If you want to set this option automatically for ALL LXC containers, do:
Code:
cat > /usr/share/lxc/config/common.conf.d/02-openvpn.conf << EOL
lxc.cgroup.devices.allow = c 10:200 rwm
EOL
Then inside the lxc:

Code:
cat >> /etc/rc.local << EOL
if ! [ -d /dev/net ];then
mkdir /dev/net
fi
if ! [ -c /dev/net/tun ]; then
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
fi
EOL
Then restart the lxc (pct shutdown [id], pct start [id]).
After that you can cleanly start openvpn. It might not start on boot through /etc/init.d/openvpn, because /etc/rc.local is processed after all scripts have finished booting, so start openvpn manually or through monit.
 
Last edited:
  • Like
Reactions: Daniel Hunsaker

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
3,508
545
118
That openvpn script probably interfered with our own autodev hook. Your workaround seems to work, but be careful what device nodes you allow your container to create and use, because you might create security risks there.
 

eth

Member
Feb 24, 2016
50
1
8
33
That openvpn script probably interfered with our own autodev hook. Your workaround seems to work, but be careful what device nodes you allow your container to create and use, because you might create security risks there.
Nope. Tried this on a new proxmox machine. Died.

Code:
root@pve2:~# cat > /usr/share/lxc/config/common.conf.d/02-openvpn.conf << EOL
> lxc.cgroup.devices.allow = c 10:200 rwm
> EOL
root@pve2:~#
root@pve2:~#
root@pve2:~#
root@pve2:~#
root@pve2:~# pct start 103
(long wait)
And we're gone at this point (https://forum.proxmox.com/threads/pct-start-killed-my-whole-proxmox-server-again.26468/). Proxmox is dead and needs a reboot. This is a really weird bug.
 

pascal

New Member
Dec 21, 2015
8
1
3
38
I just started using LXC containers on a test node and also wanted to get an OpenVPN server started on CentOS 7. I tried using the solution offered by "eth" and while my proxmox doesn't lock up I can't get the /dev/net/tun device to show up in the container.
Code:
root@pve:~# pveversion
pve-manager/4.1-1/2f9650d4 (running kernel: 4.2.6-1-pve)

root@pve:~# cat /usr/share/lxc/config/common.conf.d/02-openvpn.conf
lxc.cgroup.devices.allow = c 10:200 rwm

root@pve:~# vi /var/log/messages
....
Apr 20 16:31:05 pve pct[4893]: <root@pam> starting task UPID:pve:00001322:0004F406:571792A9:vzstart:222:root@pam:
Apr 20 16:31:06 pve kernel: [ 3246.933757] EXT4-fs (loop2): mounted filesystem with ordered data mode. Opts: (null)
Apr 20 16:31:06 pve kernel: [ 3246.970314] IPv6: ADDRCONF(NETDEV_UP): veth222i0: link is not ready
Apr 20 16:31:07 pve kernel: [ 3247.673211] device veth222i0 entered promiscuous mode
Apr 20 16:31:07 pve kernel: [ 3247.719272] eth0: renamed from vethUX7Y8C
Apr 20 16:31:07 pve pct[4893]: <root@pam> end task UPID:pve:00001322:0004F406:571792A9:vzstart:222:root@pam: OK
Apr 20 16:31:07 pve kernel: [ 3247.832929] audit: type=1400 audit(1461162667.473:31): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/" pid=4945 comm="systemd" flags="ro, nosuid, nodev, noexec, remount, strictatime"
Apr 20 16:31:07 pve kernel: [ 3248.003540] audit: type=1400 audit(1461162667.641:32): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=5130 comm="mount" flags="rw, remount"
Apr 20 16:31:08 pve kernel: [ 3248.494853] audit: type=1400 audit(1461162668.133:33): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=5301 comm="(openvpn)" flags="rw, rslave"
Apr 20 16:31:08 pve kernel: [ 3248.803830] IPv6: ADDRCONF(NETDEV_CHANGE): veth222i0: link becomes ready
Apr 20 16:31:08 pve kernel: [ 3248.803873] vmbr0: port 4(veth222i0) entered forwarding state
Apr 20 16:31:08 pve kernel: [ 3248.803895] vmbr0: port 4(veth222i0) entered forwarding state
Edit: Nevermind, for some reason the rc.local just isn't executed (it has +x). If I manually create the dir and mknod it works after restarting the ovpn service.
 
Last edited:

Daniel Hunsaker

New Member
Aug 14, 2013
5
0
1
Edit: Nevermind, for some reason the rc.local just isn't executed (it has +x). If I manually create the dir and mknod it works after restarting the ovpn service.
Check your rc.local file. There's probably an exit 0 in there, before the code to create the tun node, which you'll want to move to the bottom of the file instead. That should fix the issue.
 

naisanza

Member
Aug 11, 2016
31
1
6
The /etc/rc.local script does not work with restarting the openvpn service after creating the tunnel

Code:
cd /dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

service openvpn restart

exit 0
 

naisanza

Member
Aug 11, 2016
31
1
6
I just have a while loop running when the container restarts, it seems to work pretty well for me right now

Code:
#!/bin/bash

# Restart openvpn on reboot

while true; do
        ps -ef| grep -v grep | grep /etc/openvpn/server.conf 2>/dev/null >/dev/null
        if [ ! "$?" == 0 ]; then
                echo "[*] Restarting OpenVPN service..."
                service openvpn restart
                sleep 1
        else
                echo "[*] OpenVPN service running..."
                break
        fi
done
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!