Docker, systemd-resolved and corporate VPN
Posted 04-29-2021 at 11:44 AM by serafean
There's no going around it, I really need that docker image now. Unfortunately everything is corporate. apt repositories, conan repositories. Docker needs resolve and contact machines through the local openconnect vpn0 interface.
1. Docker kills my internet
My LAN runs in the 172.17.0.0/16 range. Docker uses that same range.
Easy fix. Set it in daemon.json
2. I use nftables
Docker refuses to start without succeeding.
Again, daemon.json
3. No ping
This one is easy. Docker is on its own network. Routing is needed between interfaces. I chose NAT.
Did I mention I use nftables?
I suppose routing tables would work too. Might try later.
4. Can't resolve corporate domains
Now this one was a doozie. Having systemd-resolved as default resolver, it supposedly sends queries only to the correct DNS servers, avoiding leakage. The unfortunate byproduct is that it listens on port 53 on localhost. Making a custom DNS server there basically a no-go (well, not really as it listens on 127.0.0.53).
Also docker by default copies /etc/resolv.conf into the container. Which contains either the localhost resolver, or my router's address (which of course doesn't resolve the company's domains).
Fortunately systemd-resolved now allows listening on other IP addresses than localhost.
add to /etc/systemd/resolved.conf
And now make docker use that DNS. Unfortunately, docker build doesn't support the --dns option. So into daemon.json we go again:
Now I can finally build a docker image with repositories behind the vpn0 interface.
1. Docker kills my internet
My LAN runs in the 172.17.0.0/16 range. Docker uses that same range.
Easy fix. Set it in daemon.json
Code:
{ "default-address-pools": [ { "base": "172.22.24.0/24", "size": 24 } ] }
Docker refuses to start without succeeding.
Again, daemon.json
Code:
"iptables" : false,
This one is easy. Docker is on its own network. Routing is needed between interfaces. I chose NAT.
Did I mention I use nftables?
Code:
chain postrouting { type nat hook postrouting priority 100; oifname vpn0 masquerade random iifname docker0 masquerade random }
4. Can't resolve corporate domains
Now this one was a doozie. Having systemd-resolved as default resolver, it supposedly sends queries only to the correct DNS servers, avoiding leakage. The unfortunate byproduct is that it listens on port 53 on localhost. Making a custom DNS server there basically a no-go (well, not really as it listens on 127.0.0.53).
Also docker by default copies /etc/resolv.conf into the container. Which contains either the localhost resolver, or my router's address (which of course doesn't resolve the company's domains).
Fortunately systemd-resolved now allows listening on other IP addresses than localhost.
add to /etc/systemd/resolved.conf
Code:
DNSStubListenerExtra=172.22.24.1
Code:
"dns": ["172.22.24.1"]
Total Comments 0