时间戳

首页 > 解决方案 > 无法从具有 `openvpn` 的容器中`ssh`

containers - 无法从具有 `openvpn` 的容器中`ssh`

问题描述

基本设置

使用:

我有这个 Dockerfile:

FROM fedora:30

ENV LANG C.UTF-8

RUN dnf upgrade -y \
    && dnf install -y \
        openssh-clients \
        openvpn \
        slirp4netns \
    && dnf clean all

CMD ["openvpn", "--config", "/vpn/ovpn.config", "--auth-user-pass", "/vpn/ovpn.auth"]

我用它构建:

podman build -t peque/vpn .

现在,为了能够成功运行它,我必须处理一些 SELinux 问题(请参阅使用 Podman 连接到 VPN)。

修复 SELinux 权限问题

sudo dnf install udica

ovpn_container.cil为 VPN 容器定义了这个自定义策略:

(block ovpn_container
    (blockinherit container)
    (blockinherit restricted_net_container)
    (allow process process (capability (chown dac_override fsetid fowner mknod net_raw setgid setuid setfcap setpcap net_bind_service sys_chroot kill audit_write net_admin)))

    (allow process default_t (dir (open read getattr lock search ioctl add_name remove_name write)))
    (allow process default_t (file (getattr read write append ioctl lock map open create)))
    (allow process default_t (sock_file (getattr read write append open)))

    (allow process tun_tap_device_t (chr_file (ioctl open read write)))
    (allow process self (netlink_route_socket (nlmsg_write)))
    (allow process unreserved_port_t (tcp_socket (name_connect)))
)

我将政策应用于:

sudo semodule -r ovpn_container
sudo semodule -i ovpn_container.cil /usr/share/udica/templates/{base_container.cil,net_container.cil}

运行容器

现在我可以成功运行容器:

podman run -v $(pwd):/vpn:Z --cap-add=NET_ADMIN --device=/dev/net/tun --security-opt label=type:ovpn_container.process -it peque/vpn

问题

容器运行后,我在容器内打开一个终端,我想从该终端ssh访问远程服务器:

podman exec -it container_name bash

从容器我能够ssh成功地连接到远程服务器,但前提是它们不在 VPN 内。

当我尝试访问sshVPN 中的服务器时,它会卡住一段时间,然后抛出此错误:

$ ssh server.domain.com
ssh: connect to host server.domain.com port 22: Connection refused 
kex_exchange_identification: Connection closed by remote host

我会错过什么?

标签: containersfedorapodman

解决方案

推荐阅读