Rootless Podman Container

This forum is for general conversation and user-user networking.
Post Reply
prymalinstynct
OpenVpn Newbie
Posts: 3
Joined: Fri Mar 27, 2020 12:12 pm

Rootless Podman Container

Post by prymalinstynct » Fri Mar 27, 2020 12:47 pm

I have been referencing these 2 articles to try and get a Rootless OpenVPN container running with Podman
https://community.openvpn.net/openvpn/w ... ilegedUser
https://stackoverflow.com/questions/571 ... ith-podman

I built a custom container image rather then using what is available on dockerhub because I was having issues with a few of those as well.

I can get the container running as root based off of the Dockerfile below and creating an selinux module for the container.

Code: Select all

podman run -d --name=vpn --network=host -v openvpn_config:/etc/openvpn:exec -v openvpn_easyrsa:/etc/easy-rsa:exec -v openvpn_gauth:/etc/google-authenticator --security-opt label=type:ovpn_container.process --cap-add=NET_ADMIN --device /dev/net/tun --device /dev/null localhost/openvpn
Dockerfile

Code: Select all

FROM centos:centos8

RUN     /usr/bin/dnf -y update && \
        /usr/bin/dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \
        /usr/bin/dnf -y install openvpn google-authenticator wget openssl qrencode passwd && \
        /usr/bin/wget https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.6/EasyRSA-unix-v3.0.6.tgz && \
        /usr/bin/tar xf EasyRSA-unix-v3.0.6.tgz && \
        /usr/bin/mv -i EasyRSA-v3.0.6/ /etc/easy-rsa/ && \
        /usr/bin/rm -i -f EasyRSA-unix-v3.0.6.tgz && \
        /usr/bin/mkdir -p /etc/openvpn/server && \
        /usr/bin/mkdir -p /etc/openvpn/log && \
        /usr/bin/mkdir -p /etc/google-authenticator && \
        /usr/sbin/groupadd gauth && \
        /usr/sbin/useradd -g gauth gauth && \
        /usr/bin/chown gauth:gauth /etc/google-authenticator && \
        /usr/bin/chmod 700 /etc/google-authenticator

COPY vars /etc/easy-rsa/
COPY setup_ca.sh /etc/easy-rsa/
COPY server.conf /etc/openvpn/
COPY client.ovpn /etc/openvpn/
COPY make_client.sh /etc/openvpn/
COPY openvpn.pam /etc/pam.d/openvpn
COPY start.sh /usr/bin/

EXPOSE 1194
VOLUME ["/etc/openvpn"]
VOLUME ["/etc/easy-rsa"]
VOLUME ["etc/google-authenticator"]

CMD ["/usr/bin/start.sh"]
server.conf

Code: Select all

port 1194

;proto tcp
proto udp4

;dev tap
dev tun0

ca /etc/openvpn/server/ca.crt
cert /etc/openvpn/server/vpnserver.crt
key /etc/openvpn/server/vpnserver.key

dh /etc/openvpn/server/dh.pem

crl-verify /etc/openvpn/server/crl.pem

tls-auth /etc/openvpn/server/ta.key 0

server 10.5.0.0 255.255.255.0

;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

ifconfig-pool-persist ipp.txt 600

;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

;client-config-dir ccd
;route 192.168.40.128 255.255.255.248

;client-config-dir ccd
;route 10.9.0.0 255.255.255.252

;learn-address ./script

push "redirect-gateway def1"

push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"

;client-to-client

;duplicate-cn

cipher AES-256-CBC

tls-version-min 1.2

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256

tls-ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256

auth SHA512

topology subnet

keepalive 10 120

persist-key
persist-tun

push "compress lz4-v2"
compress lz4-v2

max-clients 100

user nobody
group nobody

status /etc/openvpn/log/openvpn-status.log

;log         openvpn.log
log-append /etc/openvpn/log/openvpn.log

verb 4

;mute 20

explicit-exit-notify
Where I am having trouble is when I move this configuration over to a unprivileged user.

Error

Code: Select all

Fri Mar 27 12:36:20 2020 us=387304 ERROR: Cannot ioctl TUNSETIFF tun0: Operation not permitted (errno=1)
Fri Mar 27 12:36:20 2020 us=387441 Exiting due to fatal error
AUTH-PAM: BACKGROUND: received command code: 1
AUTH-PAM: BACKGROUND: EXIT
I have checked selinux errors and am not getting any.

ovpn_container.cil

Code: Select all

(block ovpn_container
    (blockinherit container)
    (allow process process ( capability ( chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write net_admin )))

    (allow process container_file_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
    (allow process container_file_t ( file ( getattr read write append ioctl lock map open create  )))
    (allow process container_file_t ( sock_file ( getattr read write append open  )))
    (allow process container_file_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
    (allow process container_file_t ( file ( getattr read write append ioctl lock map open create  )))
    (allow process container_file_t ( sock_file ( getattr read write append open  )))
    (allow process container_file_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
    (allow process container_file_t ( file ( getattr read write append ioctl lock map open create  )))
    (allow process container_file_t ( sock_file ( getattr read write append open  )))
    (allow process container_file_t ( dir ( open read getattr lock search ioctl add_name remove_name write )))
    (allow process container_file_t ( file ( getattr read write append ioctl lock map open create  )))
    (allow process container_file_t ( sock_file ( getattr read write append open  )))

    (allow process kernel_t ( system ( module_request )))
    (allow process node_t ( udp_socket (node_bind )))
    (allow process self ( netlink_route_socket ( nlmsg_write )))
    (allow process unreserved_port_t ( udp_socket ( udp_socket name_bind )))
    (allow process tun_tap_device_t ( chr_file ( ioctl open read write )))
)
I have a feeling it is an issue with the file below, the example i found appears to be from a different implemenation of systemd and NetworkManager then CentOS 8 uses (My host OS).

/etc/NetworkManager/system-connections/tun0.nmconnection

Code: Select all

[connection]
id=tun0
uuid=9e503105-6e07-41f2-a6d2-ef087ef7656e
type=tun
autoconnect=false
interface-name=tun0
permissions=user:vpnuser:;

[ipv4]
address1=10.5.0.1/24
dns-priority=100
dns-search=
method=manual

[ipv6]
addr-gen-mode=stable-privacy
dns-priority=100
dns-search=
method=link-local

Post Reply