2:48 p.m.
Helo everyone,
for a while I have been using containers that join themselves into a
VPN via their entrypoint script.
Only a small CIDR is forwarded to that private network and all other
traffic gets routed over the bridged network via the host.
In my exact use case the containers use WireGuard and need the
following configurations:
- private key (public keys can be derived)
- public key of an endpoint
- network routable IP of an endpoint
- Port of the endpoint
- CIDR to route to endpoint
Optionally multiple endpoints could be specified.
As this hack inside the entrypoint is not the most elegant way (DRY)
and so on, I would like to ask whether or not it would be possible to
integrate this functionality into podman.
Specifically to integrate support for a WireGuard interface
configurable via CLI flags/config && together with this giving a
container multiple network interfaces at spawn with the ability to
specify which CIDR should route to which interface.
Implementing this would be an interesting challenge for me if it is at
all possible (or am I wasting my time here?)/
Any hints as to how I could proceed in implementing and testing this in
a fork of the project would be much appreciated!
Thanks alot
Max <b-m-f>
1:15 p.m.
New subject: Support for WireGuard interface and multiple network interfaces
On 10/12/21 14:48, Maximilian Ehlers wrote:
Helo everyone,
for a while I have been using containers that join themselves into a
VPN via their entrypoint script.
Only a small CIDR is forwarded to that private network and all other
traffic gets routed over the bridged network via the host.
In my exact use case the containers use WireGuard and need the
following configurations:
- private key (public keys can be derived)
- public key of an endpoint
- network routable IP of an endpoint
- Port of the endpoint
- CIDR to route to endpoint
Optionally multiple endpoints could be specified.
As this hack inside the entrypoint is not the most elegant way (DRY)
and so on, I would like to ask whether or not it would be possible to
integrate this functionality into podman.
Specifically to integrate support for a WireGuard interface
configurable via CLI flags/config && together with this giving a
container multiple network interfaces at spawn with the ability to
specify which CIDR should route to which interface.
Implementing this would be an interesting challenge for me if it is at
all possible (or am I wasting my time here?)/
Any hints as to how I could proceed in implementing and testing this in
a fork of the project would be much appreciated!
Thanks alot
Max <b-m-f>
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
Network guys what do
you think?
1:25 p.m.
New subject: Support for WireGuard interface and multiple network interfaces
I wonder if it is possible to do via CNI plugin.
On Wed, Oct 13, 2021 at 12:16 PM Daniel Walsh <dwalsh(a)redhat.com> wrote:
On 10/12/21 14:48, Maximilian Ehlers wrote:
> Helo everyone,
>
> for a while I have been using containers that join themselves into a
> VPN via their entrypoint script.
>
> Only a small CIDR is forwarded to that private network and all other
> traffic gets routed over the bridged network via the host.
>
> In my exact use case the containers use WireGuard and need the
> following configurations:
>
> - private key (public keys can be derived)
> - public key of an endpoint
> - network routable IP of an endpoint
> - Port of the endpoint
> - CIDR to route to endpoint
>
> Optionally multiple endpoints could be specified.
>
> As this hack inside the entrypoint is not the most elegant way (DRY)
> and so on, I would like to ask whether or not it would be possible to
> integrate this functionality into podman.
>
> Specifically to integrate support for a WireGuard interface
> configurable via CLI flags/config && together with this giving a
> container multiple network interfaces at spawn with the ability to
> specify which CIDR should route to which interface.
>
> Implementing this would be an interesting challenge for me if it is at
> all possible (or am I wasting my time here?)/
>
> Any hints as to how I could proceed in implementing and testing this in
> a fork of the project would be much appreciated!
>
> Thanks alot
>
> Max <b-m-f>
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
Network guys what do you think?
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
2:54 p.m.
New subject: Support for WireGuard interface and multiple network interfaces
Hi there podman community,
after learning about `quadlet` during the community cabal call, some
time in thoughts and spending a weekend hacking I have figured out a
way to achieve my goal of joining a container into a WireGuard VPN
without writing a CNI plugin.
The idea is basically https://www.wireguard.com/netns/ adopted to the
`quadlet` + `podman` workflow.
I have published a go binary (yes, it `os.execs`) at
https://github.com/b-m-f/wg-pod that can be executed inside an
`ExecStartPost` systemd unit line of a quadlet `.container` file to
automatically join a container into a WireGuard network on spawn
(multiple interfaces do not work).
Here is a quick break down of what the tool does:
- Determine the network namespace of a podman container (SandboxKey)
- Load a wg-quick WireGuard config and extract relevant info
- create temporary private key file from config to have
interface load it securely later
- Create a WireGuard interface in the container namespace
- Set the desired IP address on the interface
- Load the configuration onto the interface
- Set up CIDR to be routed through the VPN
--
- Optionally set up a port mapping with `nftables` to allow containers
without `CAP_NET_BIND_SERVICE` to appear as if they would be hosting on
privileged ports to other Peers on the network -> (80:3030/tcp) syntax
Note that the CNI interface created by podman is still used as the
default route.
Meaning that a container could talk to private peers but also do
everything else over the routes given to it by podman.
Maybe this will be useful to someone else :)
I use it to easily have my services available whereever I am.
Oh btw, since you made it til here:
1. How can I autostart a service generated with quadlet on boot?
2. got any ideas on how to properly test something that modifies its
environment in such a way?
Maybe spawn a VM with virsh? New territory for me & ideas are
appreciated.
3. Writing this thingy does not mean that it would not be nice to be
able to spawn a WireGuard interface directly via podman. Maybe have a
hybrid approach as I have it now as well as a pure WireGuard interface
only approach?
Would netavark be the place to get this in at some point?
So far, greetings from Berlin and have a good weekend
Max <b-m-f>
:wq
On Wed, 2021-10-13 at 12:25 -0500, Sasha Litvak wrote:
I wonder if it is possible to do via CNI plugin.
On Wed, Oct 13, 2021 at 12:16 PM Daniel Walsh <dwalsh(a)redhat.com>
wrote:
> On 10/12/21 14:48, Maximilian Ehlers wrote:
> > Helo everyone,
> >
> > for a while I have been using containers that join themselves into
> a
> > VPN via their entrypoint script.
> >
> > Only a small CIDR is forwarded to that private network and all
> other
> > traffic gets routed over the bridged network via the host.
> >
> > In my exact use case the containers use WireGuard and need the
> > following configurations:
> >
> > - private key (public keys can be derived)
> > - public key of an endpoint
> > - network routable IP of an endpoint
> > - Port of the endpoint
> > - CIDR to route to endpoint
> >
> > Optionally multiple endpoints could be specified.
> >
> > As this hack inside the entrypoint is not the most elegant way
> (DRY)
> > and so on, I would like to ask whether or not it would be possible
> to
> > integrate this functionality into podman.
> >
> > Specifically to integrate support for a WireGuard interface
> > configurable via CLI flags/config && together with this giving a
> > container multiple network interfaces at spawn with the ability to
> > specify which CIDR should route to which interface.
> >
> > Implementing this would be an interesting challenge for me if it is
> at
> > all possible (or am I wasting my time here?)/
> >
> > Any hints as to how I could proceed in implementing and testing
> this in
> > a fork of the project would be much appreciated!
> >
> > Thanks alot
> >
> > Max <b-m-f>
> > _______________________________________________
> > Podman mailing list -- podman(a)lists.podman.io
> > To unsubscribe send an email to podman-leave(a)lists.podman.io
> Network guys what do you think?
>
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
_______________________________________________
Podman mailing list -- podman(a)lists.podman.io
To unsubscribe send an email to podman-leave(a)lists.podman.io
3:41 p.m.
New subject: Support for WireGuard interface and multiple network interfaces
Am 05.11.2021 um 19:54 schrieb Maximilian Ehlers:
after learning about `quadlet` during the community cabal call
Just for the other readers, who don't know `quadlet`:
https://github.com/containers/quadlet
1112
days inactive
1136
days old
4 comments
4 participants
participants (4)
-
Daniel Walsh -
Maximilian Ehlers -
Sasha Litvak -
Tobias Wendorff