On Thursday, 21 July 2016 09:09:58 UTC-4, Alban Crequy wrote: > > On Thu, Jul 21, 2016 at 1:11 AM, Derek Mahar <[email protected] > <javascript:>> wrote: > > How can I run a privileged container using rkt? > > There is no global "--privileged" flag in rkt, although there was some > discussion about it: > https://github.com/coreos/rkt/issues/2158#issuecomment-233603912 > <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fcoreos%2Frkt%2Fissues%2F2158%23issuecomment-233603912&sa=D&sntz=1&usg=AFQjCNHDWLFgfiovx6YwuRZDU0Z3TPDgjA> > > > It depends what kind of privileges you want for your container. What > are you trying to achieve?
I'm trying to run vpnc, a Cisco VPN client in a container along with the Java application that uses the VPN. Sean explained in an earlier message that the container must run in privileged mode in order to create tun/tap devices. I managed to run the client in a Docker container, but would prefer to do the same in an rkt container so that I can run both vpnc and the Java application in the same pod. The Java application will also have to connect to an ActiveMQ broker running on another node, but this node is outside the VPN. You can relax the isolation in several ways: > > - give more capabilities: > > https://github.com/coreos/rkt/blob/master/Documentation/capabilities-guide.md > <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fcoreos%2Frkt%2Fblob%2Fmaster%2FDocumentation%2Fcapabilities-guide.md&sa=D&sntz=1&usg=AFQjCNEVjsQeUpqwJwubwe9eEYn8DptByg> > > (and more soon with https://github.com/coreos/rkt/pull/2917) > > How do these capabilities apply to rkt containers running Docker images? I've installed vpnc in an Ubuntu Docker image, but with some effort I think I could repackage it as an ACI. Would this mean that I'd have to repackage all of my images as ACIs or can rkt mix and match Docker and ACIs in a pod? - run in the namespaces of the host using "rkt fly": > > https://github.com/coreos/rkt/blob/master/Documentation/running-fly-stage1.md > <https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fcoreos%2Frkt%2Fblob%2Fmaster%2FDocumentation%2Frunning-fly-stage1.md&sa=D&sntz=1&usg=AFQjCNFLVk6W41mtEu_x2aqmCsYrARmMoA> > > > I think "rkt fly" would make sense for running vpnc. If I were to run vpnc in "rkt fly", how might the Java application connect to the VPN? Would it still have to run in the same pod as vpnc? Could the Java app be packaged as a Docker image or must it be an ACI? Derek
