Docker – When running vpnc in docker, get ‘Cannot open “/proc/sys/net/ipv4/route/flush”: Read-only file system’

dockerlinux-networkingpermissionsroutingvpn-client

I'm trying to run console Cisco VPN client in Docker.
I start the container like that:

docker run -it -v /srv/vpn/keys/:/root/keys/ --network=host --cap-add=NET_ADMIN  --device=/dev/net/tun -v /dev/net/tun:/dev/net/tun vpn-vpnc-client_img

And then run the vpnc client inside Docker container

vpnc-connect /root/keys/vpnc.conf --local-port 0

It produces the following output:

Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
Cannot open "/proc/sys/net/ipv4/route/flush": Read-only file system
VPNC started in background (pid: 257)...

vpnc connects and creates proper routes, so VPN seems to work. My concern is the warning message.
According to the documentation, for /proc/sys/net/ipv4/route/flush

Writing to this file results in a flush of the routing cache.

I don't understand this statement. Is it critical that routing cache did not get flushed?

Also, as I understand, I can issue

echo 1 > /proc/sys/net/ipv4/route/flush

manually after start of the container. But I use monit inside docker container to restart the vpnc if connection gets lost. Can I bind mount /proc/sys/net/ipv4/route/flush from host inside container somehow, and issue the command to flush routing cache from monit script inside container?

Best Answer

I am one of the core developers of OpenConnect and maintainers of the vpnc-script — which is used by both vpnc and OpenConnect for routing and DNS configuration.

This error message actually comes from the vpnc-script, not from vpnc itself, and…

This error doesn't matter at all. It come from the command ip -4 route flush cache, which triggers IPv4 route flushing, which is an unnecessary, deprecated, no-op in modern Linux kernels.

We retain it only for backwards-compatibility, in case someone somewhere is running vpnc/OpenConnect on an annnnnnnnnnnnnnnnncieeeeeeent Linux kernel.
We suppressed the error message in a 2019 change to the standard vpnc-script.

If you simply replace your vpnc-script with the latest version, the error will go away.

Related Solutions

Linux Routing – Tuning IP Routing Parameters: secret_interval and tcp_mem

I never ever encountered this issue. However, you should probably increase your hash table width in order to reduce its depth. Using "dmesg", you'll see how many entries you currently have:

$ dmesg | grep '^IP route'
IP route cache hash table entries: 32768 (order: 5, 131072 bytes)

You can change this value with the kernel boot command line parameter rhash_entries. First try it by hand then add it to your lilo.conf or grub.conf.

For example: kernel vmlinux rhash_entries=131072

It is possible that you have a very limited hash table because you have assigned little memory to your HAProxy VM (the route hash size is adjusted depending on total RAM).

Concerning tcp_mem, be careful. Your initial settings make me think you were running with 1 GB of RAM, 1/3 of which could be allocated to TCP sockets. Now you've allocated 367872 * 4096 bytes = 1.5 GB of RAM to TCP sockets. You should be very careful not to run out of memory. A rule of thumb is to allocate 1/3 of the memory to HAProxy and another 1/3 to the TCP stack and the last 1/3 to the rest of the system.

I suspect that your "out of socket memory" message comes from default settings in tcp_rmem and tcp_wmem. By default you have 64 kB allocated on output for each socket and 87 kB on input. This means a total of 300 kB for a proxied connection, just for socket buffers. Add to that 16 or 32 kB for HAProxy, and you see that with 1 GB of RAM you'll only support 3000 connections.

By changing the default settings of tcp_rmem and tcp_wmem (middle param), you can get a lot lower on memory. I get good results with values as low as 4096 for the write buffer, and 7300 or 16060 in tcp_rmem (5 or 11 TCP segments). You can change those settings without restarting, however they will only apply to new connections.

If you prefer not to touch your sysctls too much, the latest HAProxy, 1.4-dev8, allows you to tweak those parameters from the global configuration, and per side (client or server).

I am hoping this helps!

Linux gateway not forwarding packets

ok, let's begin by just covering the basics... looks like smoothwall may be the issue here...

type the following on the console of your smoothwall and see if this fixes your issue:

iptables -I FORWARD 1 -s 192.168.65.0/24 -i eth1 -d 192.168.1.0/24 -j ACCEPT

please note this is a temporary fix to test if the issue is with smoothwall. if that works, then just add a rule on smoothwall to allow that traffic or add this line to something like rc.local (probably not the best idea... :) )

Best Answer

Related Solutions

Linux Routing – Tuning IP Routing Parameters: secret_interval and tcp_mem

Linux gateway not forwarding packets

Related Topic