[lxc-devel] per-session network namespace question
Wilhelm Meier
wilhelm.meier at fh-kl.de
Thu Oct 15 13:37:42 UTC 2009
Hi,
Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>> Hi,
>>
>
> Hi Wilheim,
>
> I am not sure I understand your question. Can you elaborate a little bit ?
ok:
I would like to compare the desired function with pam_namespace: using
pam_namespace (or fs-namespaces in general) one could setup a new
fs-namespace if a user logs into the system. That is, mount into this
namespace are not visible from outside this namespace. This is
especially useful for multiseat-systems, where every user makes his own
mounts for e.g. local devices.
So, what I'm looking for is the ability to do the same with
network-namespaces. Imagine th use-case of a ssh-tunnel to a remote
machine: the local end of the tunnel is visible for all users of the
system, although authenticated only for the user who created it.
It would be nice, if one can setup a new network-namespace for each user
session, so that the above ssh-tunnel local end is only visible to the
processes in this network-namespace.
> Thanks
> -- Daniel
>> I'm looking for a possibiliy to dynamically setup a per-session
>> network-namespace as an user logs into the machine.
> The lxc tools allow to do that with the right configuration, you should
> look at lxc-sshd example.
> That runs container with a sshd inside with its own network stack and
> rootfs.
As described above I don't want to start a full container with a sshd
inside. I'm interested in restricting the access to a listening port and
the visibilty of this port a group of processes. These processes are the
descendents of the login/kdm-process.
You can login the container with ssh.
>> Preferably this should be done via some sort of pam-module like
>> pam-namespace.
>>
>> The difficuly I see here is to move the newly created vethx to the
>> first process-id in the user-session.
>>
> This is done automatically with lxc.
>
> eg of configuration file:
>
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br0
> lxc.network.name = eth0
> lxc.network.mtu = 1500
>
>
--
Wilhelm
More information about the lxc-devel
mailing list