diff --git a/apps/rego-tunnel-linux/docker-compose.json b/apps/rego-tunnel-linux/docker-compose.json index 8cfdd9a..d810b54 100755 --- a/apps/rego-tunnel-linux/docker-compose.json +++ b/apps/rego-tunnel-linux/docker-compose.json @@ -29,6 +29,13 @@ "readOnly": true, "shared": false, "private": false + }, + { + "hostPath": "/sys/fs/cgroup", + "containerPath": "/sys/fs/cgroup", + "readOnly": false, + "shared": false, + "private": false } ], "devices": [ diff --git a/apps/rego-tunnel-linux/docker-compose.yml b/apps/rego-tunnel-linux/docker-compose.yml index 48e9f89..4803280 100755 --- a/apps/rego-tunnel-linux/docker-compose.yml +++ b/apps/rego-tunnel-linux/docker-compose.yml @@ -15,6 +15,7 @@ services: volumes: - ${APP_DATA_DIR}/data:/data - /etc/runtipi/repos/runtipi/apps/rego-tunnel-linux/source:/config:ro + - /sys/fs/cgroup:/sys/fs/cgroup:rw labels: generated: true traefik.enable: true diff --git a/apps/rego-tunnel-linux/source/Dockerfile b/apps/rego-tunnel-linux/source/Dockerfile index 2f2b79a..2c098bf 100755 --- a/apps/rego-tunnel-linux/source/Dockerfile +++ b/apps/rego-tunnel-linux/source/Dockerfile @@ -1,7 +1,10 @@ FROM ubuntu:24.04 -ENV DEBIAN_FRONTEND=noninteractive +ENV DEBIAN_FRONTEND=noninteractive +ENV container=docker +# Install systemd and required packages RUN apt-get update && apt-get install -y \ + systemd systemd-sysv dbus dbus-x11 \ iproute2 iptables ca-certificates \ curl wget openssh-client \ x11vnc xvfb fluxbox novnc websockify xterm nano oathtool \ @@ -17,18 +20,50 @@ RUN apt-get update && apt-get install -y \ RUN apt-get update && (apt-get install -y libasound2t64 || apt-get install -y libasound2) && rm -rf /var/lib/apt/lists/* -COPY cisco-secure-client-linux64-5.1.11.388-core-vpn-webdeploy-k9.sh /tmp/cisco-install.sh -RUN chmod +x /tmp/cisco-install.sh && \ - /tmp/cisco-install.sh && \ - rm /tmp/cisco-install.sh +# Configure systemd - remove unnecessary units +RUN cd /lib/systemd/system/sysinit.target.wants/ && \ + ls | grep -v systemd-tmpfiles-setup | xargs rm -f && \ + rm -f /lib/systemd/system/multi-user.target.wants/* && \ + rm -f /etc/systemd/system/*.wants/* && \ + rm -f /lib/systemd/system/local-fs.target.wants/* && \ + rm -f /lib/systemd/system/sockets.target.wants/*udev* && \ + rm -f /lib/systemd/system/sockets.target.wants/*initctl* && \ + rm -f /lib/systemd/system/basic.target.wants/* && \ + rm -f /lib/systemd/system/anaconda.target.wants/* && \ + rm -f /lib/systemd/system/plymouth* && \ + rm -f /lib/systemd/system/systemd-update-utmp* -COPY hostscan /root/.cisco/hostscan -RUN chmod -R 755 /root/.cisco/hostscan +# Copy and extract pre-built Cisco Secure Client 5.1.14.145 +COPY cisco-secureclient-5.1.14.145.tar.gz /tmp/ +RUN tar -xzf /tmp/cisco-secureclient-5.1.14.145.tar.gz -C / && \ + rm /tmp/cisco-secureclient-5.1.14.145.tar.gz + +# Copy user data (hostscan, etc) +COPY cisco-userdata.tar.gz /tmp/ +RUN tar -xzf /tmp/cisco-userdata.tar.gz -C /root && \ + rm /tmp/cisco-userdata.tar.gz + +# Create Cisco systemd service +RUN mkdir -p /etc/systemd/system && \ + echo '[Unit]' > /etc/systemd/system/vpnagentd.service && \ + echo 'Description=Cisco AnyConnect Secure Mobility Client Agent' >> /etc/systemd/system/vpnagentd.service && \ + echo 'After=network.target' >> /etc/systemd/system/vpnagentd.service && \ + echo '' >> /etc/systemd/system/vpnagentd.service && \ + echo '[Service]' >> /etc/systemd/system/vpnagentd.service && \ + echo 'Type=forking' >> /etc/systemd/system/vpnagentd.service && \ + echo 'ExecStart=/opt/cisco/secureclient/bin/vpnagentd' >> /etc/systemd/system/vpnagentd.service && \ + echo 'Restart=on-failure' >> /etc/systemd/system/vpnagentd.service && \ + echo '' >> /etc/systemd/system/vpnagentd.service && \ + echo '[Install]' >> /etc/systemd/system/vpnagentd.service && \ + echo 'WantedBy=multi-user.target' >> /etc/systemd/system/vpnagentd.service && \ + systemctl enable vpnagentd.service 2>/dev/null || true COPY vpn-sso.sh /root/vpn-sso.sh RUN chmod +x /root/vpn-sso.sh COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh + +VOLUME [ "/sys/fs/cgroup" ] EXPOSE 8806 ENTRYPOINT ["/entrypoint.sh"] diff --git a/apps/rego-tunnel-linux/source/cisco-secureclient-5.1.14.145.tar.gz b/apps/rego-tunnel-linux/source/cisco-secureclient-5.1.14.145.tar.gz new file mode 100644 index 0000000..838cfb7 Binary files /dev/null and b/apps/rego-tunnel-linux/source/cisco-secureclient-5.1.14.145.tar.gz differ diff --git a/apps/rego-tunnel-linux/source/cisco-userdata.tar.gz b/apps/rego-tunnel-linux/source/cisco-userdata.tar.gz new file mode 100644 index 0000000..69dcb98 Binary files /dev/null and b/apps/rego-tunnel-linux/source/cisco-userdata.tar.gz differ diff --git a/apps/rego-tunnel-linux/source/entrypoint.sh b/apps/rego-tunnel-linux/source/entrypoint.sh index 5e25dc3..628c9b8 100755 --- a/apps/rego-tunnel-linux/source/entrypoint.sh +++ b/apps/rego-tunnel-linux/source/entrypoint.sh @@ -7,6 +7,19 @@ DISPLAY_ADDR="${DISPLAY:-:1}" pids=() +setup_hosts() { + # Add VPN hosts entries (Docker manages /etc/hosts, so add at runtime) + grep -q "vpn-ord1.dovercorp.com" /etc/hosts || echo "162.209.24.100 vpn-ord1.dovercorp.com" >> /etc/hosts + grep -q "vpn.dovercorp.com" /etc/hosts || echo "13.67.192.27 vpn.dovercorp.com" >> /etc/hosts +} + +start_dbus() { + # Start dbus for Cisco Secure Client + mkdir -p /run/dbus + rm -f /run/dbus/pid + dbus-daemon --system --fork 2>/dev/null || true +} + start_gui() { mkdir -p /root/.vnc x11vnc -storepasswd "$VNC_PASSWORD" /root/.vnc/pass >/dev/null 2>&1 || true @@ -24,7 +37,8 @@ start_gui() { } start_vpnagent() { - /opt/cisco/secureclient/bin/vpnagentd -execv_instance & + # Start Cisco VPN agent daemon + /opt/cisco/secureclient/bin/vpnagentd & pids+=($!) } @@ -50,8 +64,10 @@ start_terminal() { trap 'kill 0' INT TERM echo "Starting Rego VPN container..." +setup_hosts setup_tun setup_nat +start_dbus start_gui start_vpnagent start_terminal