openvpn クライアントを起動し、dhclient tap0IP アドレスを取得するために実行すると、すべて正常に動作します。
同じコマンドがスクリプトから openvpn によって呼び出される場合 (upオプション):
#!/bin/sh
/sbin/dhclient tap0 || exit 1
exit 0
失敗します:
dhclient[30524]: Sending on LPF/tap0/aa:aa:aa:12:23:e9
dhclient[30524]: Can't bind to dhcp address: Permission denied
dhclient[30524]: Please make sure there is no other dhcp server
dhclient[30524]: running and that there's no entry for dhcp or
dhclient[30524]: bootp in /etc/inetd.conf. Also make sure you
dhclient[30524]: are not running HP JetAdmin software, which
openvpn[30517]: WARNING: Failed running command (--up/--down): external program exited with error status: 1
openvpn[30517]: Exiting due to fatal error
dhclient[30524]: includes a bootp server.
dhclient[30524]:
dhclient[30524]: If you think you have received this message due to a bug rather
dhclient[30524]: than a configuration issue please read the section on submitting
dhclient[30524]: bugs on either our web page at www.isc.org or in the README file
dhclient[30524]: before submitting a bug. These pages explain the proper
dhclient[30524]: process and the information we find helpful for debugging..
dhclient[30524]:
dhclient[30524]: exiting.
systemd[1]: openvpn-client.service: Main process exited, code=exited, status=1/FAILURE
すべてが root として実行されるため、権限の問題は発生しないはずです。
答え1
スクリプトに「sudo」を入れて、openvpn を実行しているユーザーに対してパスワードなしで sudoers からの dhclient を許可してみてください。
また、conf で「script-security 2」を指定しましたか?
--script-security level [method]
This directive offers policy-level control over OpenVPN’s usage
of external programs and scripts. Lower level values are more
restrictive, higher values are more permissive. Settings for
level:
0 -- Strictly no calling of external programs.
1 -- (Default) Only call built-in executables such as ifconfig,
ip, route, or netsh.
2 -- Allow calling of built-in executables and user-defined
scripts.
3 -- Allow passwords to be passed to scripts via environmental
variables (potentially unsafe).`