Network lock in lxc container

[r34lity23 0]

After some trouble I have managed to get bluetit working inside a proxmox lxc container. However enabling network lock results in the following issue:

Sep 17 17:47:04 VPNGateway1 bluetit[998]: External network is reachable via gateway 192.168.1.254 through interface eth0
Sep 17 17:47:04 VPNGateway1 bluetit[998]: Successfully connected to D-Bus
Sep 17 17:47:04 VPNGateway1 bluetit[998]: Reading run control directives from file /etc/airvpn/bluetit.rc
Sep 17 17:47:04 VPNGateway1 bluetit[998]: IPv6 is available in this system
Sep 17 17:47:04 VPNGateway1 bluetit[998]: WARNING: networklockpersist directive found in /etc/airvpn/bluetit.rc. networklock directive is ignored.
Sep 17 17:47:04 VPNGateway1 bluetit[998]: Bluetit successfully initialized and ready
Sep 17 17:47:04 VPNGateway1 systemd[1]: Started AirVPN Bluetit Daemon.
Sep 17 17:47:04 VPNGateway1 bluetit[998]: Enabling persistent network filter and lock
Sep 17 17:47:04 VPNGateway1 systemd[1]: bluetit.service: Main process exited, code=killed, status=11/SEGV
Sep 17 17:47:04 VPNGateway1 systemd[1]: bluetit.service: Failed with result 'signal'.

Any advice on how to troubleshoot this would be great.

Thanks

[OpenSourcerer 1359]

Bluetit tried to access a part of memory which doesn't belong to it (SEGV = segmentation fault). I think LXC's sandboxing is the cause. Maybe that Bluetit container is not permitted to execute iptables and nf_tables modules of the host, or execute iptables/nft? Is there something like a permission system in Proxmox?

[r34lity23 0]

Thanks a lot for your reply.

Yeah I was thinking something along those lines, however I am able to update iptables manually. Both I and Bluetit are running as root so I would have thought it should work.

[OpenSourcerer 1359]

Yeah, I don't know how to trace the execution of Bluetit and point a finger at possible actions. Can you start Bluetit manually with the root user and try again? As in, execute Bluetit in the terminal. In a second terminal you can then try to connect again.

[r34lity23 0]

On 9/18/2021 at 7:23 PM, OpenSourcerer said:

Yeah, I don't know how to trace the execution of Bluetit and point a finger at possible actions.

Yeah that's pretty much where I am too, I wish I could get a more verbose output to find out exactly what is going on. With my latest testing it does definitely seem to be some sort of permissions issue with updating the firewall as I have now also tried in a debian system with nftables and the error is exactly the same.

[OpenSourcerer 1359]

As a layman's idea, two things come into mind. gdb, the GNU debugger for C and probably C++ programs, and strace, a system call trace tool. Both are complicated to my eye, but maybe they can help one pinpoint where it goes haywire. Maybe LXC does have a similar thingy helping one notice what makes a program be killed in a container.
Apart from that, I will stop my inputs from coming. Have nothing clever to write, anyway Try asking in LXC communities, too, and good luck!

[r34lity23 0]

No worries, thanks for your help! I have opened a support ticket and I will make sure to update this thread if I manage to get it resolved.