ipsec/strongswan server on docker works on lxd container not
Linux - ContainersThis forum is for the discussion of all topics relating to Linux containers. Docker, LXC, LXD, runC, containerd, CoreOS, Kubernetes, Mesos, rkt, and all other Linux container platforms are welcome.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Those kernel.msgmax, etc keys are not per-process keys,
therefore it does not make sense to change them from within a container.
When they are changed, they are applied to the whole kernel, isn't it?
I think it would be better if you adapt the script to run on the host,
make the appropriate kernel settings, and then launch the VPN container for you.
The other option is to split the script into a part that you run on the host (as root),
and the other part you run in the LXD container.
LXD has LXCFS, which is a filesystem that adapts a container's /proc filesystem
so that it makes sense to the container. For example, if you assign one CPU core
to a container, /proc/cpuinfo will show a single core.
I suppose Docker has something similar, but with LXD it should be more pronounced
because with LXD you get machine containers which are closer to a VM (than Docker containers).
LXC containers are closer to a VM than Docker, that's right, that's why I thought it would be easier to provide a VPN server over LXC.
It's no problem with Docker.
My idea was to move all docker containers into a combined LXC container or at least into several.
I have not yet succeeded with l2tp/ipsec VPN. I guess I'll stay with Docker at VPN. Too bad.
On the weekend I will try to "banish" my combination of owncloud and a website, both with nginx ssl proxy upstream, into an LXC container.
Works as said also super under docker.
Somehow I was hoping to put all my docker containers into a single LXC container...let's see...
PS. Installing the VPN into the LXC host is out of the question for me, that would make no sense to me.
At work I would never think of installing another program or role in our VMWare or Hyper-V hosts.
These lines (the first four and the last four) instruct the Linux kernel to allocate a bit more kernel memory for networking,
which makes it better when you setup strongswan/IPSec.
Whether these lines (first four and last four) are run in a container or the host,
the effect is the same; there is a single Linux kernel and the changes will be global to the whole server.
Therefore, you can move those 4+4 lines into a separate script, and run that script on the host:
An alternative would be to edit the AppArmor rules on the host to allow setting those sysctl values from within a container.
The file is /etc/apparmor.d/abstractions/lxc/container-base and the lines that fail you, are the ones that I commented out.
After you make the change, you need to reboot in order for the new rules to take effect.
Personally, I suggest not to touch the AppArmor rules but rather do what I described earlier.
That is, create a separate script to apply the special sysctl settings directly on the host.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.