Comments (11)
Please make sure that this feature is 100% compatible with namespaces created by ip netns create
and the behavior of ip netns exec
. That is, bubblewrap --netns foo ...
should work on a namespace created by ip netns create foo
, and (in the absence of any other configuration) should produce exactly the same network conditions for the child as ip netns exec foo ...
In addition to setting the network namespace itself, ip netns exec NAMESPACE
puts the process into a fresh mount namespace, and then remounts /sys
(so that its contents reflect the network namespace) and bind-mounts /etc/netns/NAMESPACE/whatever
over /etc/whatever
for all whatever (so, for instance, you can override /etc/resolv.conf
this way). And it also does a vrf_reset()
, which I don't know what that means.
For more information on this:
ip netns
manpage source- core implementation of the "put a process into a network namespace" operation
- implementation of the
ip netns
command line
from bubblewrap.
I like this idea. It decouples the network setup from using a network namespace by users.
from bubblewrap.
In general you use bind mounts of namespace nodes, not symlinks. That way you keep the namespaces alive. "ip netns" typically binds these in /var/run/netns/$NAME (see man ip-netns
). Maybe we can reuse those somehow. That would make it easy to setup such namespaces.
Unfortunately:
# setfacl -m u:alex:rx /var/run/netns/testnet
setfacl: /var/run/netns/testnet: Operation not permitted
But, i guess we could go with your approach of having a separate symlink to the /var/run/netns/$name file with an acl on.
from bubblewrap.
We should probably ask the kernel guys if there was a way to allow this? If it made sense. I have a fear of symlinks, being a potential security problem.
@trevorjay PTAL
from bubblewrap.
Another alternative is to have the netns bind mounts in a named subdirectory that has the corresponding ACLs set.
from bubblewrap.
Opened a bugzilla to see if the kernel could be modified to allow setting of ACLs or ownership on these files.
https://bugzilla.redhat.com/show_bug.cgi?id=1334771
from bubblewrap.
As someone following bubblewrap and wishing for this feature, can cloning an interface into the newly created NS be an option ala https://github.com/google/nsjail ?
from bubblewrap.
For the desktop use case, it might actually make the most sense for NetworkManager to support generating these network namespaces, and then we just need a convention for the "access stamp ACL file" between the two.
from bubblewrap.
How about moving the process into the network namespace before calling clone()
? I see a potential --netns
and --unshare-net
as mutually exclusive options: either you join an existing network namespace, or you create a new one.
I am looking at a server use-case, where the namespace would be created and setup by a separate systemd
service.
Regarding liveness of the namespace, once an interface is pushed into the network namespace wouldn't it stay alive even if no process is active? In my limited testing I have not seen the namespace expire.
from bubblewrap.
+1 to this feature request
from bubblewrap.
What's blocking this issue?
- It's easy, but nobody has bothered to fix this issue.
- It's easy, but people hesitate because people think this is a bad idea.
- It's difficult to fix this issue, and bubblewrap doesn't have sufficient manpower.
With setuid privilege, this can be done easily. Joining network namespace through SUID privilege would be a fine intermediary solution until the unprivileged solution comes.
from bubblewrap.
Related Issues (20)
- does bubblewrap blocks syscall utimensat ? HOT 2
- bwrap: Can't find source path /root/.cache/at-spi: Permission denied HOT 6
- bwrap with --unshare-pid runs twice and leaves a zombie process when ran inside a docker container HOT 4
- Directory at /proc/{PID}/root doesn't match root of the sandbox HOT 2
- [How-to] Handle 'chroot' system calls as an unprivileged user HOT 2
- Binding of joystick inside bubblewrap HOT 2
- bubblewrap should fall back to MS_MOVE if pivot_root() fails HOT 3
- What is a proper way to have a regular user with sudo and root in container? HOT 3
- "pivot_root: Invalid argument" when running on a SLURM cluster node from NFS HOT 12
- Overlayfs masking/whiteout layer
- Bubblewrap trying to access `/proc/sys/kernel/overflowuid` HOT 1
- Assessment of the difficulty in porting CPU architecture for bubblewrap HOT 1
- Best practices for running games on Linux with Nvidia HOT 6
- Fails to build with meson 1.3.0 rc1 due to broken bash-completion handling HOT 7
- Please specify the license in Github HOT 1
- [Question] How does bwrap handle nested bindings? HOT 3
- enhancement: --daemonize-with-child option
- not immediately obvious that `--file` can overwrite a file mounted rw from outside the container HOT 4
- bwrap processes not exiting cleanly under Linux 6.8 (likely kernel regression) HOT 24
- Is there like a native C Library?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bubblewrap.