-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Running OpenVPN 3 Linux inside a container #86
Comments
I have created an openvpn-connector docker container for easy deployment of OpenVPN Cloud Connectors. I could perhaps help in this. https://github.com/RafayAK/openvpn-cloud-connector |
To be honest, I don't see the point of using containers when they must run with You get at least the same level of security running OpenVPN 3 Linux outside the container out of the box, and in particular if you're on a system with SELinux. A Dockerized solution for OpenVPN makes only sense when the container can run unprivileged and still be able to establish a connection and setup the networking accordingly. Clearly, there need to be some parts running with |
hmm? I think I can run my container unprivileged. Can't really recall why I made it Also, my use-case (deployment at client locations) benefits from a containerized OpenVPN stack, which makes stuff a whole lot simpler. |
I'll get back to you after I deploy an unprivileged container on a test machine. |
You need |
Yeah, but I'm doing nothing on the host, I haven't passed |
You're right my implementation will not work without the |
I created an alpine/musl based docker container https://github.com/RaphMad/openvpn3_linux_docker, along with a sample Needing to run as root and requiring Some observations:
In theory, having the
A second pain point is dbus itself - the current services seem very tailored to being run on a privileged system dbus, which is hard to accomplish within an unprivileged container, potentially as non-root. I'm simply lacking dbus knowledge here, but I think again that it should be possible to run it containerized without the need for broad permissions. |
In theory, it should be possible to check if AFAIK, you can't tell the D-Bus daemon to auto-start a process with certain privileges. But it is possible to start Now, I'm not quite yet convinced that alone will be enough. And the container anyhow runs with somewhat elevated privileges as well. I want to avoid even that. So I'm wondering if there's a possibility to have the |
Wouldn't running netcfg on the host always create the A "part inside / part outside container" solution seems like it would defeat some core containerization principles, like host-independent deployments etc. I think if the goal is getting VPN access on a host machine, a containerized solution gives little benefit in general because the "holes to punch" would be pretty substantial and in a way equivalent to each other with any solution (either joining the host network and getting privileges/capabilities to modify the host, or mounting the hosts dbus socket and weakening apparmor rules so they allow to communicate with a privileged netcfg host service). |
One of the weirder things when trying to minimize capabilities for my docker container is that
This seems at odds with most documentation I could find (Link1, Link2, which usually seems to claim that Without that starting point its kind of hard even beginning to trim down permissions... |
I see your point, @RaphMad. But in the moment you start doing networking with containers, the container needs access to a network outside the container itself. Network namespaces helps separating them from each other, and allows containers to both have their own independent cross-container network as well as accessing "the world" from within the container. My take is that So |
I don't know much about apparmor (I'm more of an SELinux person). If we start simple with |
I understand your points, and already got some experience with mounting the dbus socket into containers. The challenge for that use-case would be to create an apparmor profile thats not completely unconfined, but would just allow communication with netcfg (ideally even down to the messages exchanged). Being able to speciy the network namespace would be a great feature, the only thing I'm debating is the that solution not being host-agnostic (swarm, kubernetes, etc...). |
This is just a tracking ticket, split out of issue #50 , to track the possibility and requirements needed to run OpenVPN 3 Linux inside a container.
There are several challenges here, depending on how high we set the bar in regards to isolation and privilege access. Most of the
openvpn3-service-*
process runs with basically no privileges. The exception isopenvpn3-service-netcfg
(akanetcfg
- net config).The
netcfg
service requires privileges to change the network configuration (adding/removing virtual interfaces, configuring IP addresses, routing - requiresCAP_NET_ADMIN
). In additionnetcfg
will also either need file access to read and manipulate/etc/resolv.conf
or interact withsystemd-resolved
over D-Bus. Manipulatingresolv.conf
addsCAP_DAC_OVERRIDE
. If it is attempted to use--redirect-method bind-device
,CAP_NET_RAW
is also required.All of these capabilities above will currently require the container to be given more privileges as well. As a first step, it might be acceptable to give fairly broad capabilities and privileges on the system, but ideally this should be restricted as much as possible to stay inside the container only.
The text was updated successfully, but these errors were encountered: