I recently updated a Docker that uses systemd internally from Debian stretch to Debian buster.
And since then it's not working.
So accoding to systemctl status it fails to setup the namespace:
Dec 10 14:22:11 f6f3e33e6bf2 systemd[1]: Starting OpenVPN tunnel for apu__ssl_vpn_config...
Dec 10 14:22:11 f6f3e33e6bf2 systemd[1736]: openvpn-client@apu__ssl_vpn_config.service: Failed to set up mount namespacing: Permission denied
Dec 10 14:22:11 f6f3e33e6bf2 systemd[1736]: openvpn-client@apu__ssl_vpn_config.service: Failed at step NAMESPACE spawning /usr/sbin/openvpn: Permission denied
Dec 10 14:22:11 f6f3e33e6bf2 systemd[1]: openvpn-client@apu__ssl_vpn_config.service: Main process exited, code=exited, status=226/NAMESPACE
Dec 10 14:22:11 f6f3e33e6bf2 systemd[1]: openvpn-client@apu__ssl_vpn_config.service: Failed with result 'exit-code'.
Dec 10 14:22:11 f6f3e33e6bf2 systemd[1]: Failed to start OpenVPN tunnel for apu__ssl_vpn_config.
Now I have had a similar issue with elasticsearch, which I fixed by adding a drop in unit config containing:
[Service]
PrivateTmp=false
NoNewPrivileges=yes
Though sadly that doesn't fix the issue this time.
I also found this exact issue occuring when using LXC (or LXD?), though I don't know how to fix this with docker.
Additionally I start the container like this:
docker run -dt \
--tmpfs /run --tmpfs /tmp \
--volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
--device=/dev/net/tun \
--cap-add SYS_ADMIN \
--cap-add NET_ADMIN \
<container>
Any pointers are much apprechiated.