how would i start a docker container in the protected namespace?

[faulander]

Hi, i love 'namespaced-openvpn' - it works like a charm. I can run any daemon or programm inside the protected namespace and it tunnels through vpn. I switched to using docker containers lately and want to run a docker container in the protected namespace. Can you point me in the right direction?

Thanks in advance.

[slingamn]

Great question. Unfortunately the way the ip command uses network namespaces is somewhat different from the way Docker uses them. The recipes here:

https://platform9.com/blog/container-namespaces-deep-dive-container-networking/
https://stackoverflow.com/questions/31265993/docker-networking-namespace-not-visible-in-ip-netns-list

describe workarounds where one first starts a docker container and then manually creates a name for its network namespace (by creating a symlink at /var/run/netns/${namespace_name} that points to it). Then ip-netns (which is what namespaced-openvpn uses) can manipulate the namespace.

My guess is that if you start the container with docker run --net=none, the container will come up with no connectivity, and then you can use this trick to have namespaced-openvpn add a tunnel adapter to the namespace. (You'll probably have to set up /etc/resolv.conf manually, though.)

I have not tested this workflow so I would appreciate it if you could post your results here. Also, if there are clean/safe changes I can make to namespaced-openvpn to facilitate this workflow, I'd be happy to do so :-)

[mathstuf]

I suggest just using podman instead (in its non-daemon mode) since it just inherits namespaces.

[mgaulton]

I suggest just using podman instead (in its non-daemon mode) since it just inherits namespaces.

Could you elaborate on how to use podman in this way?

[mathstuf]

I just use podman run in a tmux server running inside of the relevant namespace. Sometimes I need to fix /etc/resolv.conf if the server is involved, but that's minor.