[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Issue with OpenVPN inside a LXC container: Failed at step NAMESPACE spawning /usr/sbin/openvpn: Permission denied

	Hi.

On Tue, Jul 16, 2019 at 10:57:06PM -0400, Simon Bernier St-Pierre wrote:
> I have a LXC container which is connected to a remote VPN using
> OpenVPN. After upgrading to buster, the VPN does not start anymore.
> I'm using Debian buster on my host OS

These are relevant to the problem.

> This is the journalctl log for the openvpn service:
...
> Jul 16 20:32:30 dl systemd[70]: openvpn-client@pia.service: Failed to
> set up mount namespacing: Permission denied

And that is too.
As usual with this kind of problems, journalctl log is useless. What you
need is auditd log, because...

The most probable reasons of this are ProtectSystem=true in openvpn's
systemd unit (so systemd tries to setup a separate mount namespace for a
process), and an LXC Apparmor policy that started to work in buster (it
did not in stretch).

So, you have three options:

1) Set lxc.apparmor.profile = lxc-container-default-with-nesting for
your container. It may or may not help.

2) Disable Apparmor for LXC altogether (bad idea):
lxc.apparmor.profile = unconfined

3) Execute aa-logprof ("apparmor-utils" package) and stare into that
abyss.

Reco
Reply to: