I recently updated a Docker that uses systemd internally from Debian stretch to Debian buster.
And since then it's not working.
So accoding to systemctl status it fails to setup the namespace:
Dec 10 14:22:11 f6f3e33e6bf2 systemd[1]: Starting OpenVPN tunnel for apu__ssl_vpn_config...Dec 10 14:22:11 f6f3e33e6bf2 systemd[1736]: openvpn-client@apu__ssl_vpn_config.service: Failed to set up mount namespacing: Permission deniedDec 10 14:22:11 f6f3e33e6bf2 systemd[1736]: openvpn-client@apu__ssl_vpn_config.service: Failed at step NAMESPACE spawning /usr/sbin/openvpn: Permission deniedDec 10 14:22:11 f6f3e33e6bf2 systemd[1]: openvpn-client@apu__ssl_vpn_config.service: Main process exited, code=exited, status=226/NAMESPACEDec 10 14:22:11 f6f3e33e6bf2 systemd[1]: openvpn-client@apu__ssl_vpn_config.service: Failed with result 'exit-code'.Dec 10 14:22:11 f6f3e33e6bf2 systemd[1]: Failed to start OpenVPN tunnel for apu__ssl_vpn_config.Now I have had a similar issue with elasticsearch, which I fixed by adding a drop in unit config containing:
[Service]PrivateTmp=falseNoNewPrivileges=yesThough sadly that doesn't fix the issue this time.
I also found this exact issue occuring when using LXC (or LXD?), though I don't know how to fix this with docker.
Additionally I start the container like this:
docker run -dt \ --tmpfs /run --tmpfs /tmp \ --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \ --device=/dev/net/tun \ --cap-add SYS_ADMIN \ --cap-add NET_ADMIN \<container>Any pointers are much apprechiated.