RTNETLINK error, privileged mode and net_admin not enough ? #1328
Comments
|
Permissions issues, please search issues as swarm might have issues and I remember a few old issues with swarm here |
|
Hi, If it is this solution, could you tell me what to put for the path of the conf ? i can't use a persistent volume for this image and therefore cannot put a valid .ovpn config file path in the sudoers file... Thanks in advance ! |
|
Have you tried directly on the host, instead of on the swarm? If you try to skip the LOCAL_NETWORK variable, is there any change? I know that you then won't be able to access the webUI but that can be a problem for another day. Also. You could/should try to remove either one of You're both mounting the host device and telling the container to create its own. The timing of the fatal error here makes me doubt it a bit, but it's worth a shot. |
|
Hi ! I've seen an issue with the script launching with sudo inside the container and needing to be added to a sudoer file but can't find it anymore, do you think i should search this way ? Thank you for your time ! EDIT : If i tell the container to use the tun device of the host, i get a ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such file or directory (errno=2), before a fatal error. |
|
UPDATE I've run the container through docker CLI with the following cmd : docker run --cap-add=NET_ADMIN --privileged -d -v "appdata/transmission-vpn:/etc/openvpn/custom/" -v "download:/downloads" -e TRANSMISSION_WEB_HOME=/combustion-release -e OPENVPN_PROVIDER=CUSTOM -e OPENVPN_USERNAME=xxx -e OPENVPN_PASSWORD=m -e WEBPROXY_ENABLED=false -e TRANSMISSION_UTP_ENABLED=false -e PUID=1000 -e PGID=100 --log-driver json-file --log-opt max-size=10m -p 9091:9091 haugene/transmission-openvpn:latest this is the log : Using OpenVPN provider: CUSTOM, I've updated everything, upgraded everything, even did a dist-upgprade : Linux omv.local 5.7.0-0.bpo.2-amd64 #1 SMP Debian 5.7.10-1~bpo10+1 (2020-07-30) x86_64 GNU/Linux Same docker config. If a launch openvpn with the config manually it connects and i can ping the server over the vpn. |
|
Looks like permission problems with docker and openmediavault (I assumed it
was what omv was)..
Might find something googling that?
…On Sat, Aug 15, 2020 at 19:07 Ratshoro1 ***@***.***> wrote:
UPDATE
I've run the container through docker CLI with the following cmd :
docker run --cap-add=NET_ADMIN --privileged -d -v
"appdata/transmission-vpn:/etc/openvpn/custom/" -v "download:/downloads" -e
TRANSMISSION_WEB_HOME=/combustion-release -e OPENVPN_PROVIDER=CUSTOM -e
OPENVPN_USERNAME=xxx -e OPENVPN_PASSWORD=m -e WEBPROXY_ENABLED=false -e
TRANSMISSION_UTP_ENABLED=false -e PUID=1000 -e PGID=100 --log-driver
json-file --log-opt max-size=10m -p 9091:9091
haugene/transmission-openvpn:latest
this is the log :
Using OpenVPN provider: CUSTOM,
No VPN configuration provided. Using default.,
Setting OPENVPN credentials...,
adding route to local network 192.168.0.0/24 via 172.17.0.1 dev eth0,
adding route to local network 172.18.0.0/16 via 172.17.0.1 dev eth0,
Sat Aug 15 11:58:08 2020 Note: option tun-ipv6 is ignored because modern
operating systems do not need special IPv6 tun handling anymore.,
Sat Aug 15 11:58:08 2020 Multiple --up scripts defined. The previously
configured script is overridden.,
Sat Aug 15 11:58:08 2020 Multiple --down scripts defined. The previously
configured script is overridden.,
Sat Aug 15 11:58:08 2020 WARNING: file
'/etc/openvpn/custom/mullvad_userpass.txt' is group or others accessible,
Sat Aug 15 11:58:08 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)]
[LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019,
Sat Aug 15 11:58:08 2020 library versions: OpenSSL 1.1.1c 28 May 2019, LZO
2.10,
Sat Aug 15 11:58:08 2020 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts,
Sat Aug 15 11:58:08 2020 TCP/UDP: Preserving recently used remote address:
[AF_INET]185.213.154.132:1302,
Sat Aug 15 11:58:08 2020 Socket Buffers: R=[212992->425984]
S=[212992->425984],
Sat Aug 15 11:58:08 2020 UDP link local: (not bound),
Sat Aug 15 11:58:08 2020 UDP link remote: [AF_INET]185.213.154.132:1302,
Sat Aug 15 11:58:08 2020 TLS: Initial packet from [AF_INET]
185.213.154.132:1302, sid=dc4f6e7a 39beeb0f,
Sat Aug 15 11:58:08 2020 WARNING: this configuration may cache passwords
in memory -- use the auth-nocache option to prevent this,
Sat Aug 15 11:58:08 2020 VERIFY OK: depth=2, C=SE, ST=Gotaland,
L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2,
***@***.***,
Sat Aug 15 11:58:08 2020 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom
AB, OU=Mullvad, CN=Mullvad Intermediate CA v2, emailAddress=
***@***.***,
Sat Aug 15 11:58:08 2020 VERIFY KU OK,
Sat Aug 15 11:58:08 2020 Validating certificate extended key usage,
Sat Aug 15 11:58:08 2020 ++ Certificate has EKU (str) TLS Web Server
Authentication, expects TLS Web Server Authentication,
Sat Aug 15 11:58:08 2020 VERIFY EKU OK,
Sat Aug 15 11:58:08 2020 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom
AB, OU=Mullvad, CN=se-got-002.mullvad.net, emailAddress=
***@***.***,
Sat Aug 15 11:58:08 2020 WARNING: 'link-mtu' is used inconsistently,
local='link-mtu 1557', remote='link-mtu 1558',
Sat Aug 15 11:58:08 2020 WARNING: 'comp-lzo' is present in remote config
but missing in local config, remote='comp-lzo',
Sat Aug 15 11:58:08 2020 Control Channel: TLSv1.3, cipher TLSv1.3
TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA,
Sat Aug 15 11:58:08 2020 [se-got-002.mullvad.net] Peer Connection
Initiated with [AF_INET]185.213.154.132:1302,
Sat Aug 15 11:58:09 2020 SENT CONTROL [se-got-002.mullvad.net]:
'PUSH_REQUEST' (status=1),
Sat Aug 15 11:58:14 2020 SENT CONTROL [se-got-002.mullvad.net]:
'PUSH_REQUEST' (status=1),
Sat Aug 15 11:58:14 2020 PUSH: Received control message:
'PUSH_REPLY,dhcp-option DNS 10.16.0.1,redirect-gateway def1
bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6
8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.16.0.1,topology
subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1302::1000/64
fdda:d0d0:cafe:1302::,ifconfig 10.16.0.2 255.255.0.0,peer-id 2,cipher
AES-256-GCM',
Sat Aug 15 11:58:14 2020 OPTIONS IMPORT: compression parms modified,
Sat Aug 15 11:58:14 2020 OPTIONS IMPORT: --socket-flags option modified,
Sat Aug 15 11:58:14 2020 NOTE: setsockopt TCP_NODELAY=1 failed,
Sat Aug 15 11:58:14 2020 OPTIONS IMPORT: --ifconfig/up options modified,
Sat Aug 15 11:58:14 2020 OPTIONS IMPORT: route options modified,
Sat Aug 15 11:58:14 2020 OPTIONS IMPORT: route-related options modified,
Sat Aug 15 11:58:14 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option
options modified,
Sat Aug 15 11:58:14 2020 OPTIONS IMPORT: peer-id set,
Sat Aug 15 11:58:14 2020 OPTIONS IMPORT: adjusting link_mtu to 1624,
Sat Aug 15 11:58:14 2020 OPTIONS IMPORT: data channel crypto options
modified,
Sat Aug 15 11:58:14 2020 Data Channel: using negotiated cipher
'AES-256-GCM',
Sat Aug 15 11:58:14 2020 Outgoing Data Channel: Cipher 'AES-256-GCM'
initialized with 256 bit key,
Sat Aug 15 11:58:14 2020 Incoming Data Channel: Cipher 'AES-256-GCM'
initialized with 256 bit key,
Sat Aug 15 11:58:14 2020 ROUTE_GATEWAY 172.17.0.1/255.255.0.0 IFACE=eth0
HWADDR=02:42:ac:11:00:03,
Sat Aug 15 11:58:14 2020 GDG6: remote_host_ipv6=n/a,
Sat Aug 15 11:58:14 2020 ROUTE6: default_gateway=UNDEF,
Sat Aug 15 11:58:14 2020 TUN/TAP device tun0 opened,
Sat Aug 15 11:58:14 2020 TUN/TAP TX queue length set to 100,
Sat Aug 15 11:58:14 2020 /sbin/ip link set dev tun0 up mtu 1500,
Sat Aug 15 11:58:14 2020 /sbin/ip addr add dev tun0 10.16.0.2/16
broadcast 10.16.255.255,
Sat Aug 15 11:58:14 2020 /sbin/ip -6 addr add fdda:d0d0:cafe:1302::1000/64
dev tun0,
RTNETLINK answers: Permission denied,
Sat Aug 15 11:58:14 2020 Linux ip -6 addr add failed: external program
exited with error status: 2,
Sat Aug 15 11:58:14 2020 Exiting due to fatal error,
I've updated everything, upgraded everything, even did a dist-upgprade :
Linux omv.local 5.7.0-0.bpo.2-amd64 #1
<#1> SMP
Debian 5.7.10-1~bpo10+1 (2020-07-30) x86_64 GNU/Linux
Same docker config.
If a launch openvpn with the config manually it connects and i can ping
the server over the vpn.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1328 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA7OFYXPPI5ORFBHEBBHDBDSAZM67ANCNFSM4P3H2X2Q>
.
|
|
I've taken another road. Now the container is hanging with : Using OpenVPN provider: CUSTOM, Sat Aug 15 16:32:08 2020 TUN/TAP device tun0 opened, My quest continue, but thanks for the tips |
|
It's done, thanks for the help EDIT : check your ovpn config file for up and down script, that will block transmission for starting |
|
Yes. These log lines means that our defined up-script that starts Transmission are not going to run: Glad you got it working and that you documented what you did. Good for other coming after you. |
Describe the problem
Hi,
I'm kinda new to docker but i've managed to set up my home media center for some time now.
Trying to install transmission in docker with this image and a vpn connection to mullvad servers.
I've tried privileged mode, sys_admin, net_admin etc but i cannot for the life of me get the docker to initialize !
Do you have any insight ?
Thanks in advance
Add your docker run command
EDIT : please excuse the comented lines, i've done some tinkering...
version: '3.7'
services:
transmission:
image: haugene/transmission-openvpn
container_name: transmissionvpn2
privileged: true
restart: unless-stopped
devices:
- "/dev/net/tun"
volumes:
- "/downloads/"
- "/appdata/transmission-vpn:/etc/openvpn/custom/"
environment:
- TZ=Europe/Paris
- TRANSMISSION_WEB_HOME=/combustion-release/ #optional
- CREATE_TUN_DEVICE=true
#- OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
- OPENVPN_PROVIDER=CUSTOM
#- OPENVPN_CONFIG=mullvad_fr_udp
#- OPENVPN_CONFIG=/config/mullvad_se_all
- OPENVPN_USERNAME=***
- OPENVPN_PASSWORD=m
- WEBPROXY_ENABLED=false
- TRANSMISSION_UTP_ENABLED=false
#- PUID=1000
#- PGID=100
- LOCAL_NETWORK=192.168.0.0/24,172.18.0.0/16
cap_add:
- ALL
- NETADMIN
sysctls:
- net.ipv6.conf.all.disable_ipv6=1
ports:
- 8082:9091
dns:
- 80.67.169.12
- 80.67.169.40
Logs
Using OpenVPN provider: CUSTOM,
No VPN configuration provided. Using default.,
Setting OPENVPN credentials...,
adding route to local network 192.168.0.0/24 via 172.21.0.1 dev eth2,
RTNETLINK answers: Operation not permitted,
adding route to local network 172.18.0.0/16 via 172.21.0.1 dev eth2,
RTNETLINK answers: Operation not permitted,
Tue Aug 11 18:46:30 2020 Note: option tun-ipv6 is ignored because modern operating systems do not need special IPv6 tun handling anymore.,
Tue Aug 11 18:46:30 2020 Multiple --up scripts defined. The previously configured script is overridden.,
Tue Aug 11 18:46:30 2020 Multiple --down scripts defined. The previously configured script is overridden.,
Tue Aug 11 18:46:30 2020 WARNING: file '/etc/openvpn/custom/mullvad_userpass.txt' is group or others accessible,
Tue Aug 11 18:46:30 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019,
Tue Aug 11 18:46:30 2020 library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10,
Tue Aug 11 18:46:30 2020 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts,
Tue Aug 11 18:46:30 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]185.65.135.138:1302,
Tue Aug 11 18:46:30 2020 Socket Buffers: R=[212992->425984] S=[212992->425984],
Tue Aug 11 18:46:30 2020 UDP link local: (not bound),
Tue Aug 11 18:46:30 2020 UDP link remote: [AF_INET]185.65.135.138:1302,
Tue Aug 11 18:46:31 2020 TLS: Initial packet from [AF_INET]185.65.135.138:1302, sid=b90d62d8 41714b81,
Tue Aug 11 18:46:31 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this,
Tue Aug 11 18:46:31 2020 VERIFY OK: depth=2, C=SE, ST=Gotaland, L=Gothenburg, O=Amagicom AB, OU=Mullvad, CN=Mullvad Root CA v2, emailAddress=[email protected],
Tue Aug 11 18:46:31 2020 VERIFY OK: depth=1, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=Mullvad Intermediate CA v2, emailAddress=[email protected],
Tue Aug 11 18:46:31 2020 VERIFY KU OK,
Tue Aug 11 18:46:31 2020 Validating certificate extended key usage,
Tue Aug 11 18:46:31 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication,
Tue Aug 11 18:46:31 2020 VERIFY EKU OK,
Tue Aug 11 18:46:31 2020 VERIFY OK: depth=0, C=SE, ST=Gotaland, O=Amagicom AB, OU=Mullvad, CN=se-sto-008.mullvad.net, emailAddress=[email protected],
Tue Aug 11 18:46:31 2020 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558',
Tue Aug 11 18:46:31 2020 WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo',
Tue Aug 11 18:46:31 2020 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, 4096 bit RSA,
Tue Aug 11 18:46:31 2020 [se-sto-008.mullvad.net] Peer Connection Initiated with [AF_INET]185.65.135.138:1302,
Tue Aug 11 18:46:32 2020 SENT CONTROL [se-sto-008.mullvad.net]: 'PUSH_REQUEST' (status=1),
Tue Aug 11 18:46:32 2020 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 10.16.0.1,redirect-gateway def1 bypass-dhcp,route-ipv6 0000::/2,route-ipv6 4000::/2,route-ipv6 8000::/2,route-ipv6 C000::/2,comp-lzo no,route-gateway 10.16.0.1,topology subnet,socket-flags TCP_NODELAY,ifconfig-ipv6 fdda:d0d0:cafe:1302::1006/64 fdda:d0d0:cafe:1302::,ifconfig 10.16.0.8 255.255.0.0,peer-id 3,cipher AES-256-GCM',
Tue Aug 11 18:46:32 2020 OPTIONS IMPORT: compression parms modified,
Tue Aug 11 18:46:32 2020 OPTIONS IMPORT: --socket-flags option modified,
Tue Aug 11 18:46:32 2020 NOTE: setsockopt TCP_NODELAY=1 failed,
Tue Aug 11 18:46:32 2020 OPTIONS IMPORT: --ifconfig/up options modified,
Tue Aug 11 18:46:32 2020 OPTIONS IMPORT: route options modified,
Tue Aug 11 18:46:32 2020 OPTIONS IMPORT: route-related options modified,
Tue Aug 11 18:46:32 2020 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified,
Tue Aug 11 18:46:32 2020 OPTIONS IMPORT: peer-id set,
Tue Aug 11 18:46:32 2020 OPTIONS IMPORT: adjusting link_mtu to 1624,
Tue Aug 11 18:46:32 2020 OPTIONS IMPORT: data channel crypto options modified,
Tue Aug 11 18:46:32 2020 Data Channel: using negotiated cipher 'AES-256-GCM',
Tue Aug 11 18:46:32 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key,
Tue Aug 11 18:46:32 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key,
Tue Aug 11 18:46:32 2020 ROUTE_GATEWAY 172.21.0.1/255.255.0.0 IFACE=eth2 HWADDR=02:42:ac:15:00:03,
Tue Aug 11 18:46:32 2020 GDG6: remote_host_ipv6=n/a,
Tue Aug 11 18:46:32 2020 ROUTE6: default_gateway=UNDEF,
Tue Aug 11 18:46:32 2020 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1),
Tue Aug 11 18:46:32 2020 Exiting due to fatal error,
Host system:
Swarm mode
Client: Docker Engine - Community
Version: 19.03.12
API version: 1.40
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:45:50 2020
OS/Arch: linux/amd64
Experimental: false
Server: Docker Engine - Community
Engine:
Version: 19.03.12
API version: 1.40 (minimum version 1.12)
Go version: go1.13.10
Git commit: 48a66213fe
Built: Mon Jun 22 15:44:21 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.2.13
GitCommit: 7ad184331fa3e55e52b890ea95e65ba581ae3429
runc:
Version: 1.0.0-rc10
GitCommit: dc9208a3303feef5b3839f4323d9beb36df0a9dd
docker-init:
Version: 0.18.0
GitCommit: fec3683
OpenMediaVault 5.5.0
The text was updated successfully, but these errors were encountered: