Closed ghost closed 2 years ago
Hey @thjderjktyrjkt,
Thank you for informing of this! I had been lazy and did not go in deeper for finding the right permissions a couple of years ago, so it stayed as it is.
I will add this to the README and update the relevant documentation.
This repository will have a big overhaul soon since my intended use case is now changed and I want to do a Linux network bridge to a for providing access directly to the network.
docker create \
--name=softether-vpnsrv \
-e TZ=Asia/Seoul \
-e SRVIPSUBNET=10.10.0 \
-e SRVIPNETMASK=255.255.255.0 \
-e DHCP_LEASE=168h \
-p 110:110/tcp \
-p 992:992/tcp \
-p 5555:5555/tcp \
-p 1194:1194/udp \
-p 54783:54783/udp \
-p 25000:25000/udp \
-p 500:500/udp \
-p 4500:4500/udp \
-p 1701:1701/tcp \
-v /etc/letsencrypt/:/etc/letsencrypt/ \
-v /etc/ssl/:/etc/ssl/ \
--restart unless-stopped \
--device /dev/net/tun \
--cap-drop all --cap-add cap_setgid,cap_setuid,cap_net_admin,cap_net_raw,cap_net_bind_service \
cenk1cenk2/softether-vpnsrv:edge
with error messages
Error response from daemon: invalid CapAdd: unknown capability: "CAP_SETGID,CAP_SETUID,CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE"
Error response from daemon: No such container: softether-vpnsrv
Error: failed to start containers: softether-vpnsrv
i am doing wrong?
@malikshi
I don't use docker
, but here's a few suggestions:
root
(sudo
) may be required for additional capabilities (or it may be different in docker
).
Also seeing this
Error response from daemon: invalid CapAdd: unknown capability: "CAP_SETGID,CAP_SETUID,CAP_NET_ADMIN,CAP_NET_RAW,CAP_NET_BIND_SERVICE"
I think you should try removing cap_
string:
--cap-drop all --cap-add setgid,setuid,net_admin,net_raw,net_bind_service
if it still doesn't work then i don't know how to fix it.
@thjderjktyrjkt already have solution for that problems.
...
--device /dev/net/tun \
--cap-add={SETGID,SETUID,NET_ADMIN,NET_RAW,NET_BIND_SERVICE} \
...
These are the minimal capabilities required to run:
rootful is still required, but now that only necessary capabilities are granted it should be more secure than running with full privileges. don't know how docker works with above options, but podman works just fine.
I didn't do more testing, don't know if network bridge works (local network bridges button in vpn manager is not grayed out so it should work). but there's a
capsh
utility to help working with capabilities.--privileged
should be avoided if possible: https://www.redhat.com/sysadmin/privileged-flag-container-engines