[lxc-devel] per-session network namespace question

[Daniel Lezcano]

Wilhelm Meier wrote:
> Hi,
>
> Daniel Lezcano schrieb:
>> Wilhelm Meier wrote:
>>> Hi,
>>>   
>>
>> Hi Wilheim,
>>
>> I am not sure I understand your question. Can you elaborate a little 
>> bit ?
>
> ok:
> I would like to compare the desired function with pam_namespace: using 
> pam_namespace (or fs-namespaces in general) one could setup a new 
> fs-namespace if a user logs into the system. That is, mount into this 
> namespace are not visible from outside this namespace. This is 
> especially useful for multiseat-systems, where every user makes his 
> own mounts for e.g. local devices.
>
> So, what I'm looking for is the ability to do the same with 
> network-namespaces. Imagine th use-case of a ssh-tunnel to a remote 
> machine: the local end of the tunnel is visible for all users of the 
> system, although authenticated only for the user who created it.
> It would be nice, if one can setup a new network-namespace for each 
> user session, so that the above ssh-tunnel local end is only visible 
> to the processes in this network-namespace.

Ah, ok. Got it :)
Is's a nice idea.
> As described above I don't want to start a full container with a sshd 
> inside. I'm interested in restricting the access to a listening port 
> and the visibilty of this port a group of processes. These processes 
> are the descendents of the login/kdm-process.

Hmm, the lxc tools isolates a lot of things by default, pid, ipc, 
utsname and mount points. The network is optional and configurable via a 
configuration file.

There is no way to use only the network namespace with the lxc tools 
except by using the lxc-unshare but this one does not configure the 
network for you.

My knowledge on pam is very limited but maybe you prototype by doing 
something like:

    lxc-execute -n $(pid) -f myconfig -- /bin/login

You can check if that does what you want by doing: lxc-execute -n foo -f 
myconfig /bin/bash

Thanks
  -- Daniel