[lxc-devel] per-session network namespace question

Wilhelm Meier wilhelm.meier at fh-kl.de
Fri Oct 16 05:02:54 UTC 2009 


Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>> Hi,
>>
>> Daniel Lezcano schrieb:
>>> Wilhelm Meier wrote:
>>>> Hi,
>>>>   
>>>
>>> Hi Wilheim,
>>>
>>> I am not sure I understand your question. Can you elaborate a little 
>>> bit ?
>>
>> ok:
>> I would like to compare the desired function with pam_namespace: using 
>> pam_namespace (or fs-namespaces in general) one could setup a new 
>> fs-namespace if a user logs into the system. That is, mount into this 
>> namespace are not visible from outside this namespace. This is 
>> especially useful for multiseat-systems, where every user makes his 
>> own mounts for e.g. local devices.
>>
>> So, what I'm looking for is the ability to do the same with 
>> network-namespaces. Imagine th use-case of a ssh-tunnel to a remote 
>> machine: the local end of the tunnel is visible for all users of the 
>> system, although authenticated only for the user who created it.
>> It would be nice, if one can setup a new network-namespace for each 
>> user session, so that the above ssh-tunnel local end is only visible 
>> to the processes in this network-namespace.
> 
> Ah, ok. Got it :)
> Is's a nice idea.
>> As described above I don't want to start a full container with a sshd 
>> inside. I'm interested in restricting the access to a listening port 
>> and the visibilty of this port a group of processes. These processes 
>> are the descendents of the login/kdm-process.
> 
> Hmm, the lxc tools isolates a lot of things by default, pid, ipc, 
> utsname and mount points. The network is optional and configurable via a 
> configuration file.
> 
> There is no way to use only the network namespace with the lxc tools 
> except by using the lxc-unshare but this one does not configure the 
> network for you.

Well, with the help of the lxc-tools source it should be possible to 
code a pam-module for this purpose.

I admit that I hadn't the time to do some testing with the lxc-tools, 
but one question still remains:

Imagine the case of a login/kdm: they fork a new process to perform the 
login, that is this process uses the pam-stack. If we develop a 
pam-module for network-namespace setup, this module can setup and 
configure a veth-pair and then unshare the process from the original 
network-namespace. But how can we then (after the unshare) move the 
vethx from the original ns to the new ns? After the unshare the 
veth-pair is unvisible to the login-process that has already called the 
pam-module.
I can imagine a helper-process started before the unshare which waits 
for the unshare to complete (some sort of trigger-mechnism neccessary) 
and then does the veth-move. Or is there a possibility the mark the 
veth-dev as to be moved when the unshared-call happens?

Thanks for yout comments!

> My knowledge on pam is very limited but maybe you prototype by doing 
> something like:
> 
>    lxc-execute -n $(pid) -f myconfig -- /bin/login
> 
> You can check if that does what you want by doing: lxc-execute -n foo -f 
> myconfig /bin/bash
> 
> Thanks
>  -- Daniel

-- 
Wilhelm

More information about the lxc-devel mailing list