Running with docker user-namespace

[aminvakil]

I want to securely run this docker on a server with userns enabled.

Therefore --privileged cannot be executed, but I've successfully add --cap-add=NET_ADMIN, so iptables can be runned.

Unfortunately these cannot be executed:

sysctl: error setting key 'net.ipv4.ip_forward': Read-only file system
mknod: /dev/net/tun: Operation not permitted
chmod: /dev/net/tun: No such file or directory

I've set net.ipv4.ip_forward to 1 as root on host, but I have no idea how can I give privilege to ocserv if it needs to make special blocks by mknod on host.

I know this is more of a linux issue, but any help would be appreciated.

[yuseferi]

@aminvakil have you found solution for it?

[aminvakil]

@yuseferi I don't remember honestly :)

But using this repository is unsafe because of multiple discovered vulnerabilities since the latest update of this docker image.

Take a look and use this repository if you want: https://github.com/aminvakil/docker-ocserv/

docker run --name ocserv --sysctl net.ipv4.ip_forward=1 --cap-add NET_ADMIN --security-opt no-new-privileges -p 443:443 -p 443:443/udp -d quay.io/aminvakil/ocserv