I don't see any reason for a proxy. This is a VPN _client_, not a VPN server.
The pod is a construct of multiple containers which share namespaces (apropos here, the same network namespace). This means that you can have one (potentially reusable and independently maintained) container for vpnc and another for whatever application is consuming the VPN connection. They would be independent of each other except that they would share the same network namespace. Since the function of the VPN is to configure a VPN interface and route over that VPN, all of which reside in the network namespace, as long as the network namespaces are the same, they can operate independently. Still, it sounds as if you are just beginning, so all of that may be too steep challenge, when getting started. Take a look at the rkt pod blog post, though, and gauge its comparative complexity with that of maintaining a compounded single container. rkt pods blog post: https://coreos.com/blog/announcing-rkt-0.5/ On Fri, Jul 8, 2016 at 2:04 PM Derek Mahar <[email protected]> wrote: > Wouldn't I still have to configure a network proxy on the vpn client > container or some routing tables on the application container? By 'rkt > pod' do you mean run the containers using 'rkt run'? > > > On Friday, 8 July 2016 12:55:27 UTC-4, Seán McCord wrote: > >> That sounds very reasonable. I would lead you, in that case, toward >> using a rkt pod, so that the vpn client and the user of the VPN can run as >> separate containers within the same network namespace, which should make >> management of those containers simpler. >> >> >> >> On Fri, Jul 8, 2016 at 11:46 AM Derek Mahar <[email protected]> wrote: >> >>> On second thought, it should be easier simply to bundle the application >>> that must communicate with the VPN and vpnc in the same container. It will >>> nice to isolate the VPN client inside the container of the only application >>> that must communicate over the VPN instead of running the VPN client in the >>> host. >>> >>> >>> On Friday, 8 July 2016 11:41:01 UTC-4, Derek Mahar wrote: >>>> >>>> I managed to run vpnc in a privileged Docker container. Now I need to >>>> figure out how to configure the container network so that one of the >>>> application containers uses the VPN container as a gateway to the VPN. >>>> >>>> On Friday, 8 July 2016 09:29:33 UTC-4, Derek Mahar wrote: >>>>> >>>>> On Thursday, 7 July 2016 18:51:53 UTC-4, Nick Owens wrote: >>>>>> >>>>>> On 07/07/2016 03:26 PM, Derek Mahar wrote: >>>>>> > How could I build and run vpnc < >>>>>> https://www.unix-ag.uni-kl.de/~massar/vpnc/> on >>>>>> > CoreOS? Could I build it on Ubuntu and then install the binary on >>>>>> CoreOS? >>>>>> >>>>>> is there any reason you can't run it in a rkt or docker container? >>>>>> >>>>> >>>>> I've tried running it in a container, but couldn't get it to start, >>>>> probably because I didn't run it as a privileged container, as Sean McCord >>>>> suggested. Assuming that I can run it inside its own container, I'd then >>>>> have to figure out how to configure the container network so that the >>>>> application containers use the VPN container as a VPN gateway. I have >>>>> only >>>>> basic experience with Linux networking, so I'd have to do some research in >>>>> order to solve this problem. >>>>> >>>>> >>>>> >>>>>> >>>>>> if you really cannot, then the binary should be statically linked. >>>>>> dynamically linked binaries from other systems either will not work >>>>>> because of missing libraries, or will potentially crash at runtime >>>>>> due >>>>>> to ABI problems, so it's not a very good idea. >>>>>> >>>>> >>>>> Yes, this is what I thought, too. However, according to Sean, it >>>>> seems that the vpnc binary uses only libraries which are present in >>>>> CoreOS, >>>>> so it should run even without static linking. >>>>> >>>>> Derek >>>>> >>>> -- >> Seán C McCord >> CyCore Systems, Inc >> +1 888 240 0308 >> PGP/GPG: http://cycoresys.com/scm.asc >> > -- Seán C McCord CyCore Systems, Inc +1 888 240 0308 PGP/GPG: http://cycoresys.com/scm.asc
