how would i start a docker container in the protected namespace?
faulander opened this issue · 4 comments
Hi,
i love 'namespaced-openvpn' - it works like a charm. I can run any daemon or programm inside the protected namespace and it tunnels through vpn. I switched to using docker containers lately and want to run a docker container in the protected namespace. Can you point me in the right direction?
Thanks in advance.
Great question. Unfortunately the way the ip command uses network namespaces is somewhat different from the way Docker uses them. The recipes here:
https://platform9.com/blog/container-namespaces-deep-dive-container-networking/
https://stackoverflow.com/questions/31265993/docker-networking-namespace-not-visible-in-ip-netns-list
describe workarounds where one first starts a docker container and then manually creates a name for its network namespace (by creating a symlink at /var/run/netns/${namespace_name} that points to it). Then ip-netns (which is what namespaced-openvpn uses) can manipulate the namespace.
My guess is that if you start the container with docker run --net=none, the container will come up with no connectivity, and then you can use this trick to have namespaced-openvpn add a tunnel adapter to the namespace. (You'll probably have to set up /etc/resolv.conf manually, though.)
I have not tested this workflow so I would appreciate it if you could post your results here. Also, if there are clean/safe changes I can make to namespaced-openvpn to facilitate this workflow, I'd be happy to do so :-)
I suggest just using podman instead (in its non-daemon mode) since it just inherits namespaces.
I suggest just using
podmaninstead (in its non-daemon mode) since it just inherits namespaces.
Could you elaborate on how to use podman in this way?
I just use podman run in a tmux server running inside of the relevant namespace. Sometimes I need to fix /etc/resolv.conf if the server is involved, but that's minor.