Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1659
Views
0
Helpful
4
Replies

Openvpn access to a container

marcosmoreno1
Level 1
Level 1

‎10-07-2016 02:07 AM - edited ‎03-01-2019 03:12 AM

Hi,

we are having a container application that runs on IR8x9 architecture. In our use case, we have lots of routers running our container in a distributed architecture. In order to give support clients on specific use-cases, we plan to use openvpn to gain access to the container shell and be able of  troubleshooting live in case there is an issue.

Our issue: we have prepared a container with an openvpn client along with our software. The problem is that containers do not expose the /dev folder for security reasons, and openvpn cannot open a tunnel for connection (it uses /dev/net/tun).

In the device_mapping.json of the container we have gained access to the /dev/ttyS1 interface for modbus connection:

{


  "resources": {


  "network": [{"interface-name": "eth0", "network-name": "iox-bridge0"}],


  "devices": [{"type": "serial", "label": "HOST_DEV1", "device-id": "/dev/ttyS1"}]


  }


}

Is there the possibility to do the same with the /dev/net (i.e. expose it to the container)? How would it be done?

If not, is there a "best practices" approach to gain remote ssh access to a container? We can gain access it getting the certificate with ioxclient and doing ssh, but normally the routers are in client networks where we do not have direct ssh access.

Current firmware/GOS version:

Firmware: ir800-universalk9-bundle.SSA.156-2.0.49.GB

GOS: ir800-ioxvm-1.1.0.4-T.bin

Thanks in advance,

Marcos.

Labels:
0 Helpful
4 Replies 4

Steve Zhang
Cisco Employee
Cisco Employee

‎10-07-2016 08:09 PM

Hi Marcos,

The only way to access the container console (remote ssh) is through the router.

For how to access the console, please refer to:

https://developer.cisco.com/media/iox-dev-guide-7-12-16/ioxclient/ioxclient-reference/ (Connecting to application console with ioxclient)

or Cisco IOx Local Manager Workflows - Cisco (with IOx Local Manager)


Thanks,

Steve

0 Helpful

marcosmoreno1
Level 1
Level 1
In response to Steve Zhang

‎10-14-2016 03:55 AM

Hi Steve,

yes, we can access the router using the iox tool, but as I stated most of our clients are after a firewall and we cannot gather ssh access easily (it takes weeks sometimes to get some change in security policy that allows us to enter, or to get an account in a vpn from the comany).

So you confirm that there is no possibility of exposing /dev/net to the container? We were expecting it to be as easy as with the serial port.

If that is the case, is it there any other way of connecting to an openvpn through the router configuration or the GOS?

Thanks in advance and best regards,

Marcos.

0 Helpful

Steve Zhang
Cisco Employee
Cisco Employee
In response to marcosmoreno1

‎10-16-2016 10:33 PM

Hi Marcos,

It is possible to access /dev/net in the container, and the feature to configure it in IOx GUI will come shortly as well.

Could you please contact me directly by mail if it is urgent?

Thanks,

Steve (szhang2@cisco)

0 Helpful

marcosmoreno1
Level 1
Level 1
In response to Steve Zhang

‎10-17-2016 02:46 AM

Hi Steve,

thank you for your answer. We do not use IOx GUI, normally we do the operations via ioxclient (using version 0.3.0, that was the provided version to us). Still if the feature will be in the IOx GUI is also fine. Will it be also configurable with the ioxclient tool? We can wait for the release, as it is a long-time requirement.

Best regards,
Marcos.

0 Helpful
Customers Also Viewed These Support Documents