[lxc-devel] per-session network namespace question
Daniel Lezcano
daniel.lezcano at free.fr
Thu Oct 15 14:09:00 UTC 2009
Wilhelm Meier wrote:
> Hi,
>
> Daniel Lezcano schrieb:
>> Wilhelm Meier wrote:
>>> Hi,
>>>
>>
>> Hi Wilheim,
>>
>> I am not sure I understand your question. Can you elaborate a little
>> bit ?
>
> ok:
> I would like to compare the desired function with pam_namespace: using
> pam_namespace (or fs-namespaces in general) one could setup a new
> fs-namespace if a user logs into the system. That is, mount into this
> namespace are not visible from outside this namespace. This is
> especially useful for multiseat-systems, where every user makes his
> own mounts for e.g. local devices.
>
> So, what I'm looking for is the ability to do the same with
> network-namespaces. Imagine th use-case of a ssh-tunnel to a remote
> machine: the local end of the tunnel is visible for all users of the
> system, although authenticated only for the user who created it.
> It would be nice, if one can setup a new network-namespace for each
> user session, so that the above ssh-tunnel local end is only visible
> to the processes in this network-namespace.
Ah, ok. Got it :)
Is's a nice idea.
> As described above I don't want to start a full container with a sshd
> inside. I'm interested in restricting the access to a listening port
> and the visibilty of this port a group of processes. These processes
> are the descendents of the login/kdm-process.
Hmm, the lxc tools isolates a lot of things by default, pid, ipc,
utsname and mount points. The network is optional and configurable via a
configuration file.
There is no way to use only the network namespace with the lxc tools
except by using the lxc-unshare but this one does not configure the
network for you.
My knowledge on pam is very limited but maybe you prototype by doing
something like:
lxc-execute -n $(pid) -f myconfig -- /bin/login
You can check if that does what you want by doing: lxc-execute -n foo -f
myconfig /bin/bash
Thanks
-- Daniel
More information about the lxc-devel
mailing list