tr4cks / docker-netns Goto Github PK

Hello, thanks you for this handy tool!

I have found this repository here, as I need something similar.

It is really not obvious to use without documentation thus I would like to share my findings here, maybe you will adapt them in a nice way at your repository.

Installation part is the most straightforward one:

git clone https://github.com/tr4cks/docker-netns
cd docker-netns
go build docker-netns.go

After that we need to configure what commands are required to be executed on a container after it is started (important thing is that container must start exactly after docker-netns, otherwise nothing is executed). For this file ./config.yaml needs to be edited (it is in the projects' root directory). For example, it might be preparations for the sslh transparent mode:

sslh-transparent:
  - /usr/sbin/ip rule add fwmark 0x1 lookup 100
  - /usr/sbin/ip route add local 0.0.0.0/0 dev lo table 100 
  - /usr/sbin/iptables -t raw -A PREROUTING ! -i lo -d 127.0.0.0/8 -j DROP
  - /usr/sbin/iptables -t mangle -A POSTROUTING ! -o lo -s 127.0.0.0/8 -j DROP
  - /usr/sbin/iptables -t nat -A OUTPUT -p tcp -d 127.0.0.0/8 --tcp-flags FIN,SYN,RST,ACK SYN -j CONNMARK --set-xmark 0x01/0x0f
  - /usr/sbin/iptables -t mangle -A OUTPUT ! -o lo -p tcp -m connmark --mark 0x01/0x0f -j CONNMARK --restore-mark --mask 0x0f 

Where sslh-transparent is a name of container whose netns will be used (container id is not used for consistency purposes).

Now, finalize our setup of docket-netns daemon with systemd:

./docker-netns service install
systemctl enable --now docket-netns