9

I'm trying to run console Cisco VPN client in Docker. I start the container like that:

docker run -it -v /srv/vpn/keys/:/root/keys/ --network=host --cap-add=NET_ADMIN  --device=/dev/net/tun -v /dev/net/tun:/dev/net/tun vpn-vpnc-client_img

And then run the vpnc client inside Docker container

vpnc-connect /root/keys/vpnc.conf --local-port 0

It produces the following output:

Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
VPNC started in background (pid: 257)...

vpnc connects and creates proper routes, so VPN seems to work. My concern is the warning message. According to the documentation, for /proc/sys/net/ipv4/route/flush

Writing to this file results in a flush of the routing cache.

I don't understand this statement. Is it critical that routing cache did not get flushed?

Also, as I understand, I can issue 

echo 1 > /proc/sys/net/ipv4/route/flush

manually after start of the container. But I use monit inside docker container to restart the vpnc if connection gets lost. Can I bind mount /proc/sys/net/ipv4/route/flush from host inside container somehow, and issue the command to flush routing cache from monit script inside container?

Dmitriusan
  • 357
  • 3
  • 13

2 Answers2

2

As mentioned in the comments, there is no granular capability to be used with --add-cap, so you will have to run the container in privileged mode using --privileged in order to get rid of that warning.

M. Schmidt
  • 183
  • 14
  • This isn't necessary a solution. Its a workaround since now the docker is running as root in order to gain the necessary host permissions in order to achieve the result. – LeanMan Dec 31 '20 at 04:44
  • Its possible the future kernels will have this fix. Ubuntu 18.04 doesn't allow for this yet: https://lore.kernel.org/lkml/20190624132923.16792-1-christian@brauner.io/ – LeanMan Dec 31 '20 at 04:50
  • If it's an Ubuntu host, then either AppArmor or Docker's overmounting of certain proc elements might cause this; this isn't necessarily something related (only) to capabilities. You need to look at the full security stack, which is complex. – TheDiveO Oct 06 '21 at 20:12
2

I am one of the core developers of OpenConnect and maintainers of the vpnc-script — which is used by both vpnc and OpenConnect for routing and DNS configuration.

This error message actually comes from the vpnc-script, not from vpnc itself, and…

  1. This error doesn't matter at all. It come from the command ip -4 route flush cache, which triggers IPv4 route flushing, which is an unnecessary, deprecated, no-op in modern Linux kernels.

    We retain it only for backwards-compatibility, in case someone somewhere is running vpnc/OpenConnect on an annnnnnnnnnnnnnnnncieeeeeeent Linux kernel.

  2. We suppressed the error message in a 2019 change to the standard vpnc-script.

    If you simply replace your vpnc-script with the latest version, the error will go away.

Dan Lenski
  • 298
  • 2
  • 11