Open djohnston89 opened 3 years ago
Thanks for the report.
Please do note that host networking on FCOS nodes is fully managed by NetworkManager. As such, if you are looking for an host-level VPN tunneling where the FCOS node is a client of a remote hub, you are probably asking for the NetworkManager-libreswan
package.
Instead, if you are looking for a concentrator service or for tunneling some specific application/container traffic, you'd want a containerized libreswan.
I went ahead and tried to layer NetworkManager-libreswan
on current FCOS stable
. This is the set of all packages that it brings in:
Added:
NetworkManager-libreswan-1.2.14-1.fc34.1.x86_64
crypto-policies-scripts-20210213-1.git5c710c0.fc34.noarch
gdbm-libs-1:1.19-2.fc34.x86_64
grubby-8.40-51.fc34.x86_64
ldns-1.7.1-4.fc34.x86_64
libreswan-4.5-1.fc34.x86_64
libxcrypt-compat-4.4.25-1.fc34.x86_64
nspr-4.32.0-2.fc34.x86_64
nss-3.71.0-1.fc34.x86_64
nss-softokn-3.71.0-1.fc34.x86_64
nss-softokn-freebl-3.71.0-1.fc34.x86_64
nss-sysinit-3.71.0-1.fc34.x86_64
nss-tools-3.71.0-1.fc34.x86_64
nss-util-3.71.0-1.fc34.x86_64
python-pip-wheel-21.0.1-3.fc34.noarch
python-setuptools-wheel-53.0.0-2.fc34.noarch
python-unversioned-command-3.9.7-1.fc34.noarch
python3-3.9.7-1.fc34.x86_64
python3-libs-3.9.7-1.fc34.x86_64
python3-pip-21.0.1-3.fc34.noarch
python3-setuptools-53.0.0-2.fc34.noarch
unbound-libs-1.13.2-1.fc34.x86_64
From memory, it should be possible to run libreswan/strongswan from a privileged container.
We're exploring running libreswan in a container, but we wanted to explore the package request route in parallel.
Please try to answer the following questions about the package you are requesting:
What, if any, are the additional dependencies on the package? (i.e. does it pull in Python, Perl, etc) unsure
What is the size of the package and its dependencies? unsure
What problem are you trying to solve with this package? Or what functionality does the package provide? This will help connect FCOS nodes to IPsec VPNs for encrypted external connectivity.
Can the software provided by the package be run from a container? Explain why or why not. This is being explored currently.
Can the tool(s) provided by the package be helpful in debugging container runtime issues? unsure
Can the tool(s) provided by the package be helpful in debugging networking issues? unsure
Is it possible to layer the package onto the base OS as a day 2 operation? Explain why or why not. unsure. this is being explored currently also.
In the case of packages providing services and binaries, can the packaging be adjusted to just deliver binaries? unsure
Can the tool(s) provided by the package be used to do things we’d rather users not be able to do in FCOS? (e.g. can it be abused as a Turing complete interpreter?) unsure
Does the software provided by the package have a history of CVEs? unsure