[lxc-users] OpenVPN in Debian Jessie container

Joshua Schaeffer jschaeffer0922 at gmail.com
Mon May 30 15:04:26 UTC 2016 

> For starters, from "man lxc.container.conf"
>
> lxc.hook.autodev
>                A hook to be run in the container's namespace after mounting
>                has been done and after any mount hooks have run, but before
>                the pivot_root, if lxc.autodev == 1.
>
> You can never modprobe in unprivileged container's namespace.
>
> Another thing, AFAIK the hooks only accepts one parameter: a script name. So you need to have a script (e.g. /usr/local/bin/my_script) inside the container.
>
I actually tried that already as well and it resulted in the exact same error:

lxc.autodev = 1
lxc.hook.autodev = /home/lxcuser/.local/share/lxc/autodev/vpn_barracks
lxc.cgroup.devices.deny = a
lxc.cgroup.devices.allow = c 10:200 rwm

lxcuser at corsair:~/.local/share/lxc$ cat autodev/vpn_barracks
#!/bin/bash
cd ${LXC_ROOTFS_MOUNT}/dev
mkdir net
mknod net/tun c 10 200
chmod 0666 net/tun

lxc-start -n vpn_barracks --logpriority=DEBUG

...
lxc-start 1464620477.814 INFO     lxc_conf - conf.c:run_script_argv:362 - Executing script '/usr/share/lxcfs/lxc.mount.hook' for container 'vpn_barracks', config section 'lxc'
       lxc-start 1464620477.893 INFO     lxc_conf - conf.c:run_script_argv:362 - Executing script '/home/lxcuser/.local/share/lxc/autodev/vpn_barracks' for container 'vpn_barracks', config section 'lxc'
       lxc-start 1464620477.900 ERROR    lxc_conf - conf.c:run_buffer:342 - Script exited with status 1
       lxc-start 1464620477.900 ERROR    lxc_conf - conf.c:lxc_setup:3947 - failed to run autodev hooks for container 'vpn_barracks'.
       lxc-start 1464620477.900 ERROR    lxc_start - start.c:do_start:717 - failed to setup the container
       lxc-start 1464620477.900 ERROR    lxc_sync - sync.c:__sync_wait:51 - invalid sequence number 1. expected 2
       lxc-start 1464620477.942 ERROR    lxc_start - start.c:__lxc_start:1192 - failed to spawn 'vpn_barracks'
       lxc-start 1464620477.998 WARN     lxc_commands - commands.c:lxc_cmd_rsp_recv:172 - command get_init_pid failed to receive response
       lxc-start 1464620477.999 WARN     lxc_cgmanager - cgmanager.c:cgm_get:994 - do_cgm_get exited with error
       lxc-start 1464620483.004 ERROR    lxc_start_ui - lxc_start.c:main:344 - The container failed to start.
       lxc-start 1464620483.004 ERROR    lxc_start_ui - lxc_start.c:main:346 - To get more details, run the container in foreground mode.
       lxc-start 1464620483.004 ERROR    lxc_start_ui - lxc_start.c:main:348 - Additional information can be obtained by setting the --logfile and --logpriority options.

Since the error was exactly the same I figured LXC was simply executing whatever parameter lxc.hook.autodev was provided, regardless of whether it was a file or not.

> My best advice is to bind-mount /dev/net/tun from the host (lxc.mount.entry) instead of using lxc.hook.autodev, and try again. I"m not even sure that /dev/net/tun works for unpriv containers (fuse doesn't), so if that still doesn't work, you probably want to try privileged container.
>

Okay, thanks, I'll try this, especially after Wojtek's comments saying this should work.

Thanks,
Joshua

More information about the lxc-users mailing list