On Thu, Jul 21, 2016 at 4:28 PM, Derek Mahar <[email protected]> wrote: > On Thursday, 21 July 2016 09:09:58 UTC-4, Alban Crequy wrote: >> >> On Thu, Jul 21, 2016 at 1:11 AM, Derek Mahar <[email protected]> wrote: >> > How can I run a privileged container using rkt? >> >> There is no global "--privileged" flag in rkt, although there was some >> discussion about it: >> https://github.com/coreos/rkt/issues/2158#issuecomment-233603912 >> >> It depends what kind of privileges you want for your container. What >> are you trying to achieve? > > > I'm trying to run vpnc, a Cisco VPN client in a container along with the > Java application that uses the VPN. Sean explained in an earlier message > that the container must run in privileged mode in order to create tun/tap > devices. I managed to run the client in a Docker container, but would > prefer to do the same in an rkt container so that I can run both vpnc and > the Java application in the same pod. The Java application will also have > to connect to an ActiveMQ broker running on another node, but this node is > outside the VPN.
/dev/net/tun is available for applications in rkt pods. But you will need CAP_NET_ADMIN to use it. You can try something like the following (note the CAP_NET_ADMIN at the end): rkt run my_image --cap-retain="CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FSETID,CAP_FOWNER,CAP_MKNOD,CAP_NET_RAW,CAP_SETGID,CAP_SETUID,CAP_SETFCAP,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_SYS_CHROOT,CAP_KILL,CAP_AUDIT_WRITE,CAP_NET_ADMIN" >> You can relax the isolation in several ways: >> >> - give more capabilities: >> >> https://github.com/coreos/rkt/blob/master/Documentation/capabilities-guide.md >> (and more soon with https://github.com/coreos/rkt/pull/2917) >> > > How do these capabilities apply to rkt containers running Docker images? > I've installed vpnc in an Ubuntu Docker image, but with some effort I think > I could repackage it as an ACI. The capabilities passed on the command line (--cap-retain) apply in the same way to ACIs and Docker images. So there is no need to repackage. If you want to repackage to avoid having to pass the --cap-retain each time, you can use docker2aci to convert the image from the Docker format to an ACI, and then use "actool patch-manifest" to specify the capabilities. > Would this mean that I'd have to repackage > all of my images as ACIs or can rkt mix and match Docker and ACIs in a pod? They can be mixed: $ sudo rkt run docker://busybox --exec echo -- BUSYBOX-DOCKER --- quay.io/coreos/alpine-sh --exec echo -- ALPINE-ACI [278815.172141] busybox[6]: BUSYBOX-DOCKER [278815.176207] alpine-sh[7]: ALPINE-ACI >> - run in the namespaces of the host using "rkt fly": >> >> https://github.com/coreos/rkt/blob/master/Documentation/running-fly-stage1.md >> > > I think "rkt fly" would make sense for running vpnc. If I were to run vpnc > in "rkt fly", how might the Java application connect to the VPN? Would it > still have to run in the same pod as vpnc? Could the Java app be packaged > as a Docker image or must it be an ACI? "rkt fly" does not support pods, it can only run one app at a time. "rkt fly" does not isolate anything, so the vpnc would create the network interface on the host and the Java application could be executed in another "rkt fly" instance and connect to it, an any other application on the host. Cheers, Alban
