Val*_*ntz 3 debian openvpn init.d systemd network-namespace
我有一个由 openvpn 运行的 post-up 脚本:
#!/bin/bash
echo "I am: `whoami`"
echo "Moving interface into the netns"
ip link set dev "$1" up netns hydrogenvpn mtu "$2"
echo "Listing"
ip netns ls
echo "test"
ip netns exec hydrogenvpn cat /tmp/foobar
如果我使用以下任何命令运行 openvpn:service openvpn start、/etc/init.d/openvpn start、systemctl start openvpn@hydrogen.service,我会在日志中看到以下内容:
Sun Oct 9 11:19:15 2016 us=851109 /sbin/ip link set dev tun-hyd2 up mtu 1500
Sun Oct 9 11:19:15 2016 us=858267 /sbin/ip addr add dev tun-hyd2 10.43.43.3/24 broadcast 10.43.43.255
Sun Oct 9 11:19:15 2016 us=872474 /etc/openvpn/hydrogen_postup.sh tun-hyd2 1500 1542 10.43.43.3 255.255.255.0 init
I am: root
Moving interface into the netns
Listing
novpn (id: 1)
hydrogenvpn (id: 0)
test
setting the network namespace "hydrogenvpn" failed: Operation not permitted
但是,如果我使用与 systemd 使用的完全相同的命令运行 openvpn,它会起作用:
# systemctl status openvpn@hydrogen.service | grep Process
Process: 7722 ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid (code=exited, status=0/SUCCESS)
# /usr/sbin/openvpn --daemon ovpn-hydrogen --status /run/openvpn/hydrogen.status 10 --cd /etc/openvpn --config /etc/openvpn/hydrogen.conf --writepid /run/openvpn/hydrogen.pid
# tail /var/log/openvpn.log
Sun Oct 9 11:25:28 2016 us=762617 /sbin/ip addr add dev tun-hyd2 10.43.43.3/24 broadcast 10.43.43.255
Sun Oct 9 11:25:28 2016 us=767131 /etc/openvpn/hydrogen_postup.sh tun-hyd2 1500 1542 10.43.43.3 255.255.255.0 init
I am: root
Moving interface into the netns
Listing
novpn (id: 1)
hydrogenvpn (id: 0)
test
<content of /tmp/foobar>
Sun Oct 9 11:25:28 2016 us=952737 Initialization Sequence Completed
我还尝试使用 systemd 启动 openvpn,然后手动运行脚本,它也有效。
为什么两次运行会有差异?当由 systemd 启动的 openvpn 运行时,如何使脚本工作?
版本:Debian 测试、openvpn 2.3.11-2、systemd 231-9
这是 OpenVPN ( ) 的服务文件/lib/systemd/system/openvpn@.service:
[Unit]
Description=OpenVPN connection to %i
PartOf=openvpn.service
ReloadPropagatedFrom=openvpn.service
Before=systemd-user-sessions.service
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
[Service]
PrivateTmp=true
KillMode=mixed
Type=forking
ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --config /etc/openvpn/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
ProtectSystem=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw
[Install]
WantedBy=multi-user.target
有三件事限制了我们可以做的事情:
CapabilityBoundingSet限制了该单位可以做的事情。可能有一些“ip netns”所需的功能,但不在那里。例如,进行需要的ip netns绑定。mount --bindCAP_SYS_ADMIN
ProtectSystem防止单元修改文件系统(我不认为它会阻止绑定安装);
LimitNPROC限制单元中的进程数量。这可能是问题的根源,但对于复杂的脚本来说可能是个问题。