[lxc-devel] per-session network namespace question

Wilhelm Meier wilhelm.meier at fh-kl.de
Thu Oct 15 13:37:42 UTC 2009 

Hi,

Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>> Hi,
>>   
> 
> Hi Wilheim,
> 
> I am not sure I understand your question. Can you elaborate a little bit ?

ok:
I would like to compare the desired function with pam_namespace: using 
pam_namespace (or fs-namespaces in general) one could setup a new 
fs-namespace if a user logs into the system. That is, mount into this 
namespace are not visible from outside this namespace. This is 
especially useful for multiseat-systems, where every user makes his own 
mounts for e.g. local devices.

So, what I'm looking for is the ability to do the same with 
network-namespaces. Imagine th use-case of a ssh-tunnel to a remote 
machine: the local end of the tunnel is visible for all users of the 
system, although authenticated only for the user who created it.
It would be nice, if one can setup a new network-namespace for each user 
session, so that the above ssh-tunnel local end is only visible to the 
processes in this network-namespace.

> Thanks
>  -- Daniel
>> I'm looking for a possibiliy to dynamically setup a per-session 
>> network-namespace as an user logs into the machine. 
> The lxc tools allow to do that with the right configuration, you should 
> look at lxc-sshd example.
> That runs container with a sshd inside with its own network stack and 
> rootfs. 

As described above I don't want to start a full container with a sshd 
inside. I'm interested in restricting the access to a listening port and 
the visibilty of this port a group of processes. These processes are the 
descendents of the login/kdm-process.

You can login the container with ssh.
>> Preferably this should be done via some sort of pam-module like 
>> pam-namespace.
>>
>> The difficuly I see here is to move the newly created vethx to the 
>> first process-id in the user-session.
>>   
> This is done automatically with lxc.
> 
> eg of configuration file:
> 
> lxc.network.type = veth
> lxc.network.flags = up
> lxc.network.link = br0
> lxc.network.name = eth0
> lxc.network.mtu = 1500
> 
> 

-- 
Wilhelm

More information about the lxc-devel mailing list