Thank you for your suggestions. I'm very new to CoreOS and rkt, but less new to Docker which I've been using in development for about three or four months. The reason I'm turning to CoreOS and rkt is because Docker Engine still doesn't work well with systemd, and CoreOS is much leaner than Ubuntu Server. The only obstacle holding me back from adopting CoreOS has been the need for the VPN client (vpnc).
On Friday, 8 July 2016 14:17:15 UTC-4, Seán McCord wrote: > > I don't see any reason for a proxy. This is a VPN _client_, not a VPN > server. > > The pod is a construct of multiple containers which share namespaces > (apropos here, the same network namespace). This means that you can have > one (potentially reusable and independently maintained) container for vpnc > and another for whatever application is consuming the VPN connection. They > would be independent of each other except that they would share the same > network namespace. Since the function of the VPN is to configure a VPN > interface and route over that VPN, all of which reside in the network > namespace, as long as the network namespaces are the same, they can operate > independently. > > Still, it sounds as if you are just beginning, so all of that may be too > steep challenge, when getting started. Take a look at the rkt pod blog > post, though, and gauge its comparative complexity with that of maintaining > a compounded single container. > > rkt pods blog post: https://coreos.com/blog/announcing-rkt-0.5/ > > > > On Fri, Jul 8, 2016 at 2:04 PM Derek Mahar <[email protected] > <javascript:>> wrote: > >> Wouldn't I still have to configure a network proxy on the vpn client >> container or some routing tables on the application container? By 'rkt >> pod' do you mean run the containers using 'rkt run'? >> >> >> On Friday, 8 July 2016 12:55:27 UTC-4, Seán McCord wrote: >> >>> That sounds very reasonable. I would lead you, in that case, toward >>> using a rkt pod, so that the vpn client and the user of the VPN can run as >>> separate containers within the same network namespace, which should make >>> management of those containers simpler. >>> >>> >>> >>> On Fri, Jul 8, 2016 at 11:46 AM Derek Mahar <[email protected]> wrote: >>> >>>> On second thought, it should be easier simply to bundle the application >>>> that must communicate with the VPN and vpnc in the same container. It >>>> will >>>> nice to isolate the VPN client inside the container of the only >>>> application >>>> that must communicate over the VPN instead of running the VPN client in >>>> the >>>> host. >>>> >>>> >>>> On Friday, 8 July 2016 11:41:01 UTC-4, Derek Mahar wrote: >>>>> >>>>> I managed to run vpnc in a privileged Docker container. Now I need to >>>>> figure out how to configure the container network so that one of the >>>>> application containers uses the VPN container as a gateway to the VPN. >>>>> >>>>> On Friday, 8 July 2016 09:29:33 UTC-4, Derek Mahar wrote: >>>>>> >>>>>> On Thursday, 7 July 2016 18:51:53 UTC-4, Nick Owens wrote: >>>>>>> >>>>>>> On 07/07/2016 03:26 PM, Derek Mahar wrote: >>>>>>> > How could I build and run vpnc < >>>>>>> https://www.unix-ag.uni-kl.de/~massar/vpnc/> on >>>>>>> > CoreOS? Could I build it on Ubuntu and then install the binary on >>>>>>> CoreOS? >>>>>>> >>>>>>> is there any reason you can't run it in a rkt or docker container? >>>>>>> >>>>>> >>>>>> I've tried running it in a container, but couldn't get it to start, >>>>>> probably because I didn't run it as a privileged container, as Sean >>>>>> McCord >>>>>> suggested. Assuming that I can run it inside its own container, I'd >>>>>> then >>>>>> have to figure out how to configure the container network so that the >>>>>> application containers use the VPN container as a VPN gateway. I have >>>>>> only >>>>>> basic experience with Linux networking, so I'd have to do some research >>>>>> in >>>>>> order to solve this problem. >>>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> if you really cannot, then the binary should be statically linked. >>>>>>> dynamically linked binaries from other systems either will not work >>>>>>> because of missing libraries, or will potentially crash at runtime >>>>>>> due >>>>>>> to ABI problems, so it's not a very good idea. >>>>>>> >>>>>> >>>>>> Yes, this is what I thought, too. However, according to Sean, it >>>>>> seems that the vpnc binary uses only libraries which are present in >>>>>> CoreOS, >>>>>> so it should run even without static linking. >>>>>> >>>>>> Derek >>>>>> >>>>> -- >>> Seán C McCord >>> CyCore Systems, Inc >>> +1 888 240 0308 >>> PGP/GPG: http://cycoresys.com/scm.asc >>> >> -- > Seán C McCord > CyCore Systems, Inc > +1 888 240 0308 > PGP/GPG: http://cycoresys.com/scm.asc >
