tun devices in ve 4 (lxc)

gimpbully

Member
Aug 7, 2015
21
0
21
What is the 'proxmox way' of adding a tun device to an lxc container on boot?

I tried putting "lxc.cgroup.devices.allow = c 10:200 rwm" in the config for the container, but the gui was pretty upset about that, said it was an invalid key. I currently have a mknod stuffed in the openvpn init script of the container, but I'm hoping there's a far cleaner way.
 
Adding "lxc.cgroup.devices.allow = c 10:200 rwm" to the containers config file (or ~lxc/CTID.conf) didn't work for me neither.
I had to start an lxc.hook script (thanks to heider.io! blogpost >
heider.io/blog/2013/10/26/openvpn-in-a-lxc-container )
Like this:
For this, create a script named autodev in /var/lib/lxc/yourcontainer/
1
2
3
4
5
6
#!/bin/bash

cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

and make it executable:
1chmod +x autodev

Then add this
1
2
3
4
lxc.hook.autodev=/var/lib/lxc/yourcontainer/autodev
(or for Proxmox CTID.conf - lxc.hook.autodev: /var/lib/lxc/yourcontainer/autodev )

# /dev/net/tun
lxc.cgroup.devices.allow = c 10:200 rwm
(or for Proxmox CTID.conf - lxc.cgroup.devices.allow: c 10:200 rwm )

to /var/lib/lxc/yourcontainer/config.
or to /etc/pve/~lxc/yourcontainer.conf for Proxmox 4.x
 
I found a solution how to do a clean start of openvpn inside LXC.

First, in proxmox, alter /etc/pve/lxc/[ID].conf where ID is the ID of your LXC
Code:
cat >> /etc/pve/lxc/[ID].conf << EOL
lxc.cgroup.devices.allow = c 10:200 rwm
EOL

OR!!! If you want to set this option automatically for ALL LXC containers, do:
Code:
cat > /usr/share/lxc/config/common.conf.d/02-openvpn.conf << EOL
lxc.cgroup.devices.allow = c 10:200 rwm
EOL

Then inside the lxc:

Code:
cat >> /etc/rc.local << EOL
if ! [ -d /dev/net ];then
mkdir /dev/net
fi
if ! [ -c /dev/net/tun ]; then
mknod /dev/net/tun c 10 200
chmod 666 /dev/net/tun
fi
EOL

Then restart the lxc (pct shutdown [id], pct start [id]).
After that you can cleanly start openvpn. It might not start on boot through /etc/init.d/openvpn, because /etc/rc.local is processed after all scripts have finished booting, so start openvpn manually or through monit.
 
Last edited:
  • Like
Reactions: Hennik Hunsaker
That openvpn script probably interfered with our own autodev hook. Your workaround seems to work, but be careful what device nodes you allow your container to create and use, because you might create security risks there.
 
That openvpn script probably interfered with our own autodev hook. Your workaround seems to work, but be careful what device nodes you allow your container to create and use, because you might create security risks there.

Nope. Tried this on a new proxmox machine. Died.

Code:
root@pve2:~# cat > /usr/share/lxc/config/common.conf.d/02-openvpn.conf << EOL
> lxc.cgroup.devices.allow = c 10:200 rwm
> EOL
root@pve2:~#
root@pve2:~#
root@pve2:~#
root@pve2:~#
root@pve2:~# pct start 103
(long wait)

And we're gone at this point (https://forum.proxmox.com/threads/pct-start-killed-my-whole-proxmox-server-again.26468/). Proxmox is dead and needs a reboot. This is a really weird bug.
 
I just started using LXC containers on a test node and also wanted to get an OpenVPN server started on CentOS 7. I tried using the solution offered by "eth" and while my proxmox doesn't lock up I can't get the /dev/net/tun device to show up in the container.
Code:
root@pve:~# pveversion
pve-manager/4.1-1/2f9650d4 (running kernel: 4.2.6-1-pve)

root@pve:~# cat /usr/share/lxc/config/common.conf.d/02-openvpn.conf
lxc.cgroup.devices.allow = c 10:200 rwm

root@pve:~# vi /var/log/messages
....
Apr 20 16:31:05 pve pct[4893]: <root@pam> starting task UPID:pve:00001322:0004F406:571792A9:vzstart:222:root@pam:
Apr 20 16:31:06 pve kernel: [ 3246.933757] EXT4-fs (loop2): mounted filesystem with ordered data mode. Opts: (null)
Apr 20 16:31:06 pve kernel: [ 3246.970314] IPv6: ADDRCONF(NETDEV_UP): veth222i0: link is not ready
Apr 20 16:31:07 pve kernel: [ 3247.673211] device veth222i0 entered promiscuous mode
Apr 20 16:31:07 pve kernel: [ 3247.719272] eth0: renamed from vethUX7Y8C
Apr 20 16:31:07 pve pct[4893]: <root@pam> end task UPID:pve:00001322:0004F406:571792A9:vzstart:222:root@pam: OK
Apr 20 16:31:07 pve kernel: [ 3247.832929] audit: type=1400 audit(1461162667.473:31): apparmor="DENIED" operation="mount" info="failed type match" error=-13 profile="lxc-container-default" name="/sys/fs/cgroup/" pid=4945 comm="systemd" flags="ro, nosuid, nodev, noexec, remount, strictatime"
Apr 20 16:31:07 pve kernel: [ 3248.003540] audit: type=1400 audit(1461162667.641:32): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=5130 comm="mount" flags="rw, remount"
Apr 20 16:31:08 pve kernel: [ 3248.494853] audit: type=1400 audit(1461162668.133:33): apparmor="DENIED" operation="mount" info="failed flags match" error=-13 profile="lxc-container-default" name="/" pid=5301 comm="(openvpn)" flags="rw, rslave"
Apr 20 16:31:08 pve kernel: [ 3248.803830] IPv6: ADDRCONF(NETDEV_CHANGE): veth222i0: link becomes ready
Apr 20 16:31:08 pve kernel: [ 3248.803873] vmbr0: port 4(veth222i0) entered forwarding state
Apr 20 16:31:08 pve kernel: [ 3248.803895] vmbr0: port 4(veth222i0) entered forwarding state

Edit: Nevermind, for some reason the rc.local just isn't executed (it has +x). If I manually create the dir and mknod it works after restarting the ovpn service.
 
Last edited:
Edit: Nevermind, for some reason the rc.local just isn't executed (it has +x). If I manually create the dir and mknod it works after restarting the ovpn service.

Check your rc.local file. There's probably an exit 0 in there, before the code to create the tun node, which you'll want to move to the bottom of the file instead. That should fix the issue.
 
The /etc/rc.local script does not work with restarting the openvpn service after creating the tunnel

Code:
cd /dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

service openvpn restart

exit 0
 
I just have a while loop running when the container restarts, it seems to work pretty well for me right now

Code:
#!/bin/bash

# Restart openvpn on reboot

while true; do
        ps -ef| grep -v grep | grep /etc/openvpn/server.conf 2>/dev/null >/dev/null
        if [ ! "$?" == 0 ]; then
                echo "[*] Restarting OpenVPN service..."
                service openvpn restart
                sleep 1
        else
                echo "[*] OpenVPN service running..."
                break
        fi
done
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!