I am trying to configure a pod that starts a pptp client.
I want to access a separate machine behind a VPN, and it works fine locally, my docker container adds entries to my localhost routing table, all is well.
ip route add xxxx dev ppp0
I can only connect to the VPN server while the privileged value is set to true and the network_mode parameter is set to "host"
The production environment is slightly different, "localhost" will be one of our three work nodes in our Google Container cluster.
I do not know if the route added after the connection is established is only available for containers working inside this node .. but this is a later problem.
Docker-compose.yml
version: '2' services: pptp-tunnel: build: ./ image: eu.gcr.io/project/image environment: - VPN_SERVER=XXXX - VPN_USER=XXXX - VPN_PASSWORD=XXXX privileged: true network_mode: "host"
This seems more difficult to achieve with kubernetes, although both options exist and are declared, as you can see in my manifest. (hostNetwork, privileged)
Kubernete Version
Version 1.6.6
PPTP-tunnel.yml
apiVersion: v1 kind: Service metadata: name: pptp-tunnel namespace: default labels: spec: type: ClusterIP selector: app: pptp-tunnel ports: - name: pptp port: 1723 --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: pptp-tunnel namespace: default spec: replicas: 1 strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 0 type: RollingUpdate selector: matchLabels: app: pptp-tunnel template: metadata: labels: app: pptp-tunnel spec: hostNetwork: true containers: - name: pptp-tunnel env: - name: VPN_SERVER value: XXXX - name: VPN_USER value: XXXX - name: VPN_PASSWORD value: 'XXXXX' securityContext: privileged: true capabilities: add: ["NET_ADMIN"] image: eu.gcr.io/project/image imagePullPolicy: Always ports: - containerPort: 1723
I also tried to add features: NET_ADMIN, as you can see, without effect. Installing the container in privileged mode should disable security, I do not need both.
It would be nice not to set the container in privileged mode and just rely on the ability to bring the ppp0 interface and add routing.
What happens when the POD starts is that the pptp client just keeps sending requests and time. (This happens with my docker container locally until I turn on host_mode "host".)
sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0xa43cd4b4> <pcomp> <accomp>] LCP: timeout sending Config-Requests
But this is without host network support, if I turn it on, I just get one request sent, and then the modem hangs.
using channel 42 Using interface ppp0 Connect: ppp0 <--> /dev/pts/0 sent [LCP ConfReq id=0x7 <asyncmap 0x0> <magic 0xcdae15b8> <pcomp> <accomp>] Script ?? finished (pid 59), status = 0x0 Script pptp XX.XX.XX.XX --nolaunchpppd finished (pid 60), status = 0x0 Script ?? finished (pid 67), status = 0x0 Modem hangup Connection terminated.
Declaring a boolean host network allows me to see several interfaces that are shared with the host, so this works, but somehow I cannot establish a connection, I cannot understand why.
Perhaps there is a better solution? I still need to establish a connection to the VPN server, but adding a routing record to the host may not be the best solution.
Any help is much appreciated!