VyOS & containers
I recently discovered that VyOS has deprecated it’s old firewall configurations, both the zone based one and it’s traditional in/out based one. Now it’s all netfilter input/forward/output chains, which I like so I started looking into VyOS again.
More on the new firewall later, todays subject is containers!
To replace my current homebrew router there are a few non-standard tasks for the router to perform, like updating my dynamic DNS record. VyOS ships with ddclient but it doesn’t support my DNS provider…so I figured I could just use the same container I currently do for this.
Last time I tried using a container on VyOS I failed, and I can’t even remember why. It turns out it’s also very simple?
# In operations mode, run this to fetch the container:
# add container image qmcgaw/ddns-updater:v2.5.0
# Create a container network and add it to the network-group which contains all
# local subnets that are allowed NAT
set container network ddns-net prefix 10.1.1.0/29
set firewall group network-group all-subnets network "10.1.1.0/29"
# Setup the container, image, limits, network, port & volume mappings, envs...
set container name ddns-updater image 'qmcgaw/ddns-updater:v2.5.0'
set container name ddns-updater memory '128'
set container name ddns-updater network 'ddns-net'
set container name ddns-updater port webui destination '8000'
set container name ddns-updater port webui source '8000'
set container name ddns-updater port webui protocol 'tcp'
set container name ddns-updater volume ddns_updater_data source '/config/podman/ddns-updater/data'
set container name ddns-updater volume ddns_updater_data destination '/updater/data'
set container name ddns-updater environment RESOLVER_ADDRESS value '1.1.1.1:53'
set container name ddns-updater environment TZ value 'Europe/Stockholm'
The only thing I’ve forgotten about in the past is to allow the subnet to perform NAT, and open the firewall on relevant interfaces et c.