docker-openvpn icon indicating copy to clipboard operation
docker-openvpn copied to clipboard
verified publisher icon kylemanna

getsockopt failed strangely: Operation not permitted

Open JustinGuese opened this issue 4 years ago • 5 comments

Heyo,

the above message gets dropped when trying to run your docker image on kubernetes, any ideas why? I guess it's an issue with the container port being not allowed?

Thanks for your help!

JustinGuese avatar Aug 23 '21 07:08 JustinGuese

I get the same error. Here is the log with debug mode enabled:

+ set -e
+ cd /etc/openvpn
+ USER_ARGS=("${@}")   
 
)
+ addArg --config /etc/openvpn/openvpn.conf
+ local arg=--config
+ '[' 2 -ge 1 ']'
+ local val=/etc/openvpn/openvpn.conf
+ hasArg --config
+ local element
+ return 1
+ ARGS+=("${arg}")
+ '[' 2 -ge 1 ']'
+ ARGS+=("${val}")
+ source /etc/openvpn/ovpn_env.sh
++ declare -x OVPN_AUTH=
++ declare -x OVPN_CIPHER=
++ declare -x OVPN_CLIENT_TO_CLIENT=
++ declare -x OVPN_CN=<REDACTED>
++ declare -x OVPN_COMP_LZO=0
++ declare -x OVPN_DEFROUTE=1
++ declare -x OVPN_DEVICE=tun
++ declare -x OVPN_DEVICEN=0
++ declare -x OVPN_DISABLE_PUSH_BLOCK_DNS=0
++ declare -x OVPN_DNS=1
++ OVPN_DNS_SERVERS=([0]="8.8.8.8" [1]="1.1.1.1")
++ declare -x OVPN_DNS_SERVERS
++ declare -x OVPN_ENV=/etc/openvpn/ovpn_env.sh
++ OVPN_EXTRA_CLIENT_CONFIG=()
++ declare -x OVPN_EXTRA_CLIENT_CONFIG
++ OVPN_EXTRA_SERVER_CONFIG=()
++ declare -x OVPN_EXTRA_SERVER_CONFIG
++ declare -x OVPN_FRAGMENT=
++ declare -x 'OVPN_KEEPALIVE=10 60'
++ declare -x OVPN_MTU=
++ declare -x OVPN_NAT=0
++ declare -x OVPN_PORT=<REDACTED>
++ declare -x OVPN_PROTO=udp
++ OVPN_PUSH=()
++ declare -x OVPN_PUSH
++ OVPN_ROUTES=([0]="192.168.254.0/24")
++ declare -x OVPN_ROUTES
++ declare -x OVPN_SERVER=192.168.255.0/24
++ declare -x OVPN_SERVER_URL=udp://<REDACTED>
++ declare -x OVPN_TLS_CIPHER=
+ mkdir -p /dev/net
+ '[' '!' -c /dev/net/tun ']'
+ mknod /dev/net/tun c 10 200
+ '[' -d /etc/openvpn/ccd ']'
+ addArg --client-config-dir /etc/openvpn/ccd
+ local arg=--client-config-dir
+ '[' 2 -ge 1 ']'
+ local val=/etc/openvpn/ccd
+ hasArg --client-config-dir
+ local element
+ return 1
+ ARGS+=("${arg}")
+ '[' 2 -ge 1 ']'
+ ARGS+=("${val}")
+ '[' -z '' ']'
+ OVPN_NATDEVICE=eth0
+ '[' 1 '!=' 0 ']'
+ setupIptablesAndRouting
+ iptables -t nat -C POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
+ iptables -t nat -A POSTROUTING -s 192.168.255.0/24 -o eth0 -j MASQUERADE
getsockopt failed strangely: Operation not permitted

jobr97 avatar Aug 26 '21 12:08 jobr97

Need to add --cap-add=NET_ADMIN

pvlg avatar Sep 09 '21 16:09 pvlg

@pvlg: --cap-add=NET_ADMIN worked for me. Thanks.

marlarius avatar Feb 13 '22 17:02 marlarius

Need to add --cap-add=NET_ADMIN @pvlg

The cap_add and cap_drop options are ignored when deploying a stack in swarm mode (doc)

What if i can't use cap-add?

Likqez avatar Mar 10 '22 21:03 Likqez

What if i can't use cap-add?

I'm in the same situation, But now that I think about it, maybe I always want the same computer to be my vpn server, so outside the swarm. But then do you need a different machine/VM ? Not sure if we can lunch a docker on the same machine that is part of a swarm..

gortium avatar Aug 12 '22 17:08 gortium