docker swarm - no need to access host possible without cap_add?

[Haidy777]

Hello,
I have been reading through the issues and documentation, sadly I couldn't find anything.

I've got a docker swarm cluster and want to run an OpenVPN server on it. Since I don't need access to the host system of the container, I'm searching for a method to run the OpenVPN server without the privileged and cap_add=NET_ADMIN method (as it is still not possible in swarm mode).

I think I would need to adjust some of the files of this project, but I don't know which :)

Maybe somebody achieved this already?

Thanks in Advance!

[Aniket-Singla]

@Haidy777 I also faced same issue today. Did you find any workaround on this? Or anyone else. I am also using swarm mode on my server.

[kylemanna]

I really don't thinks there's anyway away to get around needing --cap_add=NET_ADMIN because of the creation of the tun interface. Should be able to operate without --privileged though, that's from a time when docker didn't support cap_add.

[kylemanna]

I've made some updates on the dev branch to drop all mention of the --privileged flag. You'll always need the --cap-add=NET_ADMIN argument though.

Perhaps that helps? Let me know if you can test it.

[Haidy777]

@Aniket-Singla No, I didn't find a workaround yet.
@kylemanna Thanks, I will take a look at it this weekend. But I don't think it is possible as long as --cap-add=NET_ADMIN is needed.

[Aniket-Singla]

For now I am using docker-compose for deployments of openvpn image in my swarm cluster (resides on master node) as I don't require CD for this beautiful image. Waiting for --cap-add to be available in swarm mode to move to stack deployments.

According to docker/cli#2687 (comment) it will be available in 20.xx release