How to mount custom ovpn files using k8s…?

[hedefalk]

Is there a pinned issue for this?

• [X] I have read the pinned issues and could not find my issue

Is there an existing or similar issue/discussion for this?

• [X] I have searched the existing issues
• [X] I have searched the existing discussions

Is there any comment in the documentation for this?

• [X] I have read the documentation, especially the FAQ and Troubleshooting parts

Is this related to a provider?

• [X] I have checked the provider repo for issues
• [X] My issue is NOT related to a provider

Are you using the latest release?

• [X] I am using the latest release

Have you tried using the dev branch latest?

• [ ] I have tried using dev branch

Docker run config used

I'm using a k8s with a pretty bare bones helm chart and this is my values.yaml which would be very similar to the docker run command. I'm trying protonvpn but got auth issues using the out-of-the-box configuration. So I've downloaded their latest ovpn files and mounted by configmap into the container:

replicaCount: 1

env:
  # https://haugene.github.io/docker-transmission-openvpn/supported-providers/#using_a_local_single_ovpn_file_from_a_provider
  - name: OPENVPN_PROVIDER
    value: custom # VPN provider. List of supported providers: https://haugene.github.io/docker-transmission-openvpn/supported-providers/
  - name: OPENVPN_USERNAME
    valueFrom:
      secretKeyRef:
        name: "proton-vpn"
        key: "username"
  - name: OPENVPN_PASSWORD
    valueFrom:
      secretKeyRef:
        name: "proton-vpn"
        key: "password"
  # - name: OPENVPN_CONFIG
  #   value: us.protonvpn.net.tcp
    # https://github.com/haugene/vpn-configs-contrib/blob/main/openvpn/protonvpn
  - name: LOCAL_NETWORK
    value: "192.168.0.0/24"
  - name: TRANSMISSION_PEER_PORT
    value: "47444"
  - name: TRANSMISSION_DOWNLOAD_DIR
    value: "/downloads/transmission"

service:
  type: ClusterIP
  port: 80

volumes:
  - name: "video-media"
    persistentVolumeClaim:
      claimName: "video-media" # PersistentVolumeClaim created earlier
  - name: openvpn-config
    configMap:
      name: proton-vpn-free 
      defaultMode: 0777
  - name: config
    persistentVolumeClaim:
      claimName: transmission-config
  - name: transmission-vpn-config
    persistentVolumeClaim:
      claimName: transmission-vpn-config

volumeMounts:
  - name: "video-media"
    mountPath: "/downloads/transmission"
    subPath: "downloads/transmission" # Path /mnt/ssd/media/downloads/transmission where transmission downloads Torrents
  - name: openvpn-config # Mount our config map as the default file. Remove OPENVPN_CONFIG to use default.
    mountPath: /etc/openvpn/custom/default.ovpn
    subPath: nl-free-157.protonvpn.net.udp.ovpn
    readOnly: false
  - name: config
    mountPath: /config

securityContext:
  capabilities:
    add:
      - NET_ADMIN

Current Behavior

Startup fails when trying to do edits in /etc/openvpn/custom/default.ovpn which I cannot seem to mount writable.

If I look in the container, the file is mounted just fine:

root@transmission-transmission-openvpn-b59b96bbb-phd4z:/# cd /etc/openvpn/custom/
root@transmission-transmission-openvpn-b59b96bbb-phd4z:/etc/openvpn/custom# ls -lFa
total 20
drwxr-xr-x  2 root root 4096 Mar 16 15:06 ./
drwxr-xr-x 10 root root 4096 Mar 16 15:06 ../
-rw-r--r--  1 root root  360 Nov 16 21:08 config-failure.sh
-rwxrwxrwx  1 root root 5059 Mar 16 15:06 default.ovpn*
root@transmission-transmission-openvpn-b59b96bbb-phd4z:/etc/openvpn/custom# echo "foo" > bar
root@transmission-transmission-openvpn-b59b96bbb-phd4z:/etc/openvpn/custom# ls -lFa
total 24
drwxr-xr-x  2 root root 4096 Mar 16 15:07 ./
drwxr-xr-x 10 root root 4096 Mar 16 15:06 ../
-rw-r--r--  1 root root    4 Mar 16 15:07 bar
-rw-r--r--  1 root root  360 Nov 16 21:08 config-failure.sh
-rwxrwxrwx  1 root root 5059 Mar 16 15:06 default.ovpn*

the only thing I cannot do is edit the mounted file:

root@transmission-transmission-openvpn-b59b96bbb-phd4z:/etc/openvpn/custom# echo foo > default.ovpn 
bash: default.ovpn: Read-only file system

which seems to align with the errors in the log. But wasn't that supposed to be ok, to mount an external read-only config?

Expected Behavior

I didn't expect the need to edit the config file in place accoring to the example here:

https://haugene.github.io/docker-transmission-openvpn/supported-providers/#if_you_only_need_to_mount_one_file

How have you tried to solve the problem?

1) I've tried coming up with a solution using initContainers to copy from a mounted read-only ConfigMap onto another volume that could then be mounted in the container, but it doesn't seem like it will work with the existing container folder structure of a /etc/openvpn/custom already containing a file (config-failure.sh) and then I need to add another file (default.ovpn) that is writable.

Log output

Starting container with revision: b33d0fe4c938259a0d4eb844e55468f387456121
Creating TUN device /dev/net/tun
Using OpenVPN provider: CUSTOM
Modifying /etc/openvpn/custom/default.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
sed: cannot rename /etc/openvpn/custom/sedfWNOpw: Device or resource busy
Modification: Change ca certificate path
sed: cannot rename /etc/openvpn/custom/sedCeJit4: Device or resource busy
Modification: Change ping options
sed: cannot rename /etc/openvpn/custom/sedalGuVy: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedmVgD8z: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sediiyIDs: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedOozWaz: Device or resource busy
/etc/openvpn/modify-openvpn-config.sh: line 55: /etc/openvpn/custom/default.ovpn: Read-only file system
/etc/openvpn/modify-openvpn-config.sh: line 56: /etc/openvpn/custom/default.ovpn: Read-only file system
/etc/openvpn/modify-openvpn-config.sh: line 57: /etc/openvpn/custom/default.ovpn: Read-only file system
Modification: Update/set resolv-retry to 15 seconds
sed: cannot rename /etc/openvpn/custom/sedw7cXJv: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sed67ht1q: Device or resource busy
/etc/openvpn/modify-openvpn-config.sh: line 69: /etc/openvpn/custom/default.ovpn: Read-only file system
Modification: Change tls-crypt keyfile path
sed: cannot rename /etc/openvpn/custom/sedEtrOTW: Device or resource busy
Modification: Set output verbosity to 3
sed: cannot rename /etc/openvpn/custom/sedwje0hq: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedh20PL0: Device or resource busy
/etc/openvpn/modify-openvpn-config.sh: line 91: /etc/openvpn/custom/default.ovpn: Read-only file system
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
sed: cannot rename /etc/openvpn/custom/sedBOENoG: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedPQCIhQ: Device or resource busy
/etc/openvpn/modify-openvpn-config.sh: line 103: /etc/openvpn/custom/default.ovpn: Read-only file system
Modification: Updating status for config failure detection
sed: cannot rename /etc/openvpn/custom/sedGIrMQL: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedhS3B0D: Device or resource busy
/etc/openvpn/modify-openvpn-config.sh: line 123: /etc/openvpn/custom/default.ovpn: Read-only file system
Setting OpenVPN credentials...
adding route to local network 192.168.0.0/24 via 10.42.0.1 dev eth0
2023-03-16 14:57:09 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-03-16 14:57:09 OpenVPN 2.5.5 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-03-16 14:57:09 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-03-16 14:57:09 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
2023-03-16 14:57:09 Exiting due to fatal error

HW/SW Environment

- OS: raspbian 64-bit -> k3s

Anything else?

No response

[hedefalk]

Now I've gone through an initContainer and copied over only this single file in rw mode and i can both edit the file and create other files as root in the container:

root@transmission-transmission-openvpn-6ddd5d88b-vxlbf:/etc/openvpn/custom# echo "#" > default.ovpn 
root@transmission-transmission-openvpn-6ddd5d88b-vxlbf:/etc/openvpn/custom# tail default.ovpn 
#
root@transmission-transmission-openvpn-6ddd5d88b-vxlbf:/etc/openvpn/custom# echo foo > bar
root@transmission-transmission-openvpn-6ddd5d88b-vxlbf:/etc/openvpn/custom# ls -l
total 13
-rw-r--r-- 1 root root    4 Mar 16 19:02 bar
-rw-r--r-- 1 root root  360 Nov 16 21:08 config-failure.sh
-rwxr-xr-x 1 root root 5059 Mar 16 19:00 default.ovpn

but the sed script still fails with "Device or resource busy":

Defaulted container "transmission-openvpn" out of: transmission-openvpn, copy-config (init)
Starting container with revision: b33d0fe4c938259a0d4eb844e55468f387456121
Creating TUN device /dev/net/tun
Using OpenVPN provider: CUSTOM
Modifying /etc/openvpn/custom/default.ovpn for best behaviour in this container
Modification: Point auth-user-pass option to the username/password file
Modification: Change ca certificate path
sed: cannot rename /etc/openvpn/custom/sedder7I7: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedroPZvZ: Device or resource busy
Modification: Change ping options
sed: cannot rename /etc/openvpn/custom/sedf46Cyq: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedZ55wGr: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedKGdT1H: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sed5Qtw2k: Device or resource busy
Modification: Update/set resolv-retry to 15 seconds
sed: cannot rename /etc/openvpn/custom/sedDtSyF0: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedfvpNtD: Device or resource busy
Modification: Change tls-crypt keyfile path
sed: cannot rename /etc/openvpn/custom/sedg9piAL: Device or resource busy
Modification: Set output verbosity to 3
sed: cannot rename /etc/openvpn/custom/sedeWKJGp: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedICjECq: Device or resource busy
Modification: Remap SIGUSR1 signal to SIGTERM, avoid OpenVPN restart loop
sed: cannot rename /etc/openvpn/custom/sed4rnHXB: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sedZDovPN: Device or resource busy
Modification: Updating status for config failure detection
sed: cannot rename /etc/openvpn/custom/sedeSfbU3: Device or resource busy
sed: cannot rename /etc/openvpn/custom/sed6SmIli: Device or resource busy
Setting OpenVPN credentials...
adding route to local network 192.168.0.0/24 via 10.42.0.1 dev eth0
2023-03-16 18:58:59 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2023-03-16 18:58:59 OpenVPN 2.5.5 aarch64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 14 2022
2023-03-16 18:58:59 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2023-03-16 18:58:59 neither stdin nor stderr are a tty device and you have neither a controlling tty nor systemd - can't ask for 'Enter Auth Username:'.  If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
2023-03-16 18:58:59 Exiting due to fatal error

[pkishino]

please try dev branch

2426

[hedefalk]

@pkishino In the end I got it working by simply mounting the full directory of files and then selecting with OPENVPN_CONFIG instead. For some reason I could not make it work by mounting a single file at default.ovpn - the sed script complaining on resource busy on the file system next to that file (even though I can manually write files just fine in the container as root)

I don't see how that PR actually solves anything for mounting a single file other than failing fast?

ERROR: You're mounting a openvpn config directly, dont't do this it causes issues (see #2274). Mount the directory where the config is instead.

https://github.com/haugene/docker-transmission-openvpn/pull/2426#issuecomment-1336015983

[pkishino]

Yes, One cannot edit directly mounted files like that due to Linux limitations etc so the PR fails fast by mentioning this limitation. If you disable the modification script then you can use a single file as it will only read.. Documentation needs some improvement here

On Sat, 18 Mar 2023 at 19:47, Viktor Hedefalk @.***> wrote:

@pkishino https://github.com/pkishino In the end I got it working by simply mounting the full directory of files and then selecting with OPENVPN_CONFIG instead. For some reason I could not make it work by mounting a single file at default.ovpn - the sed script complaining on resource busy on the file system next to that file (even though I can manually write files just fine in the container as root)

I don't see how that PR actually solves anything for mounting a single file other than failing fast?

2426 (comment)

https://github.com/haugene/docker-transmission-openvpn/pull/2426#issuecomment-1336015983

— Reply to this email directly, view it on GitHub https://github.com/haugene/docker-transmission-openvpn/issues/2555#issuecomment-1474810320, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7OFYXNKWFYZQL6TDEZOKLW4WHFHANCNFSM6AAAAAAV5NVTTI . You are receiving this because you were mentioned.Message ID: @.***>

[hedefalk]

If you disable the modification script then you can use a single file as it will only read..

I figured as much, but it needs to be edited for injecting password and such, right? Pre-editing didn't seem like a good way to me.

Anyway, I could work around just fine. Thanks!

I'll close as this seems like a known issue.