Public | Automated Build

Last pushed: 9 days ago
Short Description
minimal priviliged ipsec container for use in atomic hosts
Full Description

IPSEC for (bare metal) atomic hosts

Atomic hosts do not support traditional installation of additional software
with e.g. rpm. That privileged docker container is meant to be run on system
startup (via a systemd unit) and support IPSEC for the docker host.

It uses Libreswan from the fedora 22 repository.

Installation

Automatically starting via Systemd Unit

Run the following command to set up the necessary symlinks and systemd unit.

atomic install ibotty/ipsec-libreswan

You might want to start and enable it afterwards.

systemctl daemon-reload
systemctl enable ipsec.service
systemctl restart ipsec.service

If you don't run atomic but are certain you want to run Libreswan inside of a
container you can run the install script manually. This command is the same as
in the LABEL INSTALL in the Dockerfile.

docker run --rm --privileged --entrypoint /bin/sh -v /:/host \
  -e HOST=/host -e IMAGE=ipsec-libreswan -e NAME=ipsec-libreswan \
  ibotty/ipsec-libreswan /bin/install.sh

Ordering Systemd Units

You might require some intra-cluster traffic to be encrypted. To only start
e.g. etcd when ipsec is set up, instruct systemd to order it accordingly.

systemctl add-requires etcd.service ipsec.service

By hand

Start ipsec IKE daemon (pluto) by running the following command.

docker run --rm --privileged --net=host \
       -v /lib/modules:/lib/modules:ro -v /etc/ipsec:/etc/ipsec \
       -v /etc/ipsec.d:/etc/ipsec.d --name ipsec-libreswan \
       ibotty/libreswan

or use systemd:

systemd-nspawn --quiet --capability all --tmpfs /var/run/pluto \
               --bind /proc/sys/net --bind-ro /lib/modules --bind /etc/ipsec \
               --bind /etc/ipsec.d --machine=ipsec-libreswan /bin/entrypoint.sh start

Configuration

Config files

The configuration is on the host of /etc/ipsec.conf, /etc/ipsec.secrets
and /etc/sysconfig/ipsec. These files are symlinked from /etc/ipsec to
make the bind mount from host easier and more reliable.

Usually /etc/ipsec.conf and /etc/ipsec.secrets include files within
/etc/ipsec.d, which also gets mounted in the container.

See e.g. the RHEL 7 Security
Guide
on how to set up Libreswan.

ipsec tool

When configuring using the ipsec tool, call

/usr/bin/docker exec -t ipsec-libreswan /bin/entrypoint.sh

as you would call ipsec. Be sure to create the config files in /etc/ipsec.d as
mentioned above.

Docker Pull Command
Owner
ibotty
Source Repository

Comments (0)