How to run containers with capabilities (NET_ADMIN/SYS_ADMIN) and update sysctl config?

Hello ,

I’m trying to deploy sentinel dvpn (wireguard) node on akash. to run this we need to add wireguard interface with ip link this requires NET_ADMIN capability for container to execute this command

service logs:

[dvpn-84cd58857c-ttm85] 2021-07-15T04:44:22Z INF Initializing VPN service type=1
[dvpn-84cd58857c-ttm85] 2021-07-15T04:44:22Z INF Starting VPN service type=1
[dvpn-84cd58857c-ttm85] [#] ip link add wg0 type wireguard
[dvpn-84cd58857c-ttm85] RTNETLINK answers: Permission denied

Also we need to update sysctl config to successfully start vpn service I’m not able to do this in the container.

Is there any ways to mention network capabilities and sysctl config ???

Thank you

Hi @harish_marri, we’d love to host dvpn nodes if it’s possible to.

We’ll have to evaluate the security implications of allowing these flags, and also see if GVisor will allow this to begin with.

I’ll make a note for us to look into it; we’ll report back here with our findings.

2 Likes

Hey guys also recently ran into this. Was wondering if we have any info?

For security reasons, we don’t allow this at the moment. We’ll look into it when we can.

1 Like

I’d like to support firecracker vm “containers” sometime soon as an alternative to gVisor. This would open up a lot more kernel features and increase performance for some workloads.

1 Like