[lxc-devel] per-session network namespace question

Daniel Lezcano daniel.lezcano at free.fr
Fri Oct 16 08:58:37 UTC 2009


Wilhelm Meier wrote:
>
>
> Daniel Lezcano schrieb:
>> Wilhelm Meier wrote:
>>> Hi,
>>>
>>> Daniel Lezcano schrieb:
>>>> Wilhelm Meier wrote:
>>>>> Hi,
>>>>>   
>>>>
>>>> Hi Wilheim,
>>>>
>>>> I am not sure I understand your question. Can you elaborate a 
>>>> little bit ?
>>>
>>> ok:
>>> I would like to compare the desired function with pam_namespace: 
>>> using pam_namespace (or fs-namespaces in general) one could setup a 
>>> new fs-namespace if a user logs into the system. That is, mount into 
>>> this namespace are not visible from outside this namespace. This is 
>>> especially useful for multiseat-systems, where every user makes his 
>>> own mounts for e.g. local devices.
>>>
>>> So, what I'm looking for is the ability to do the same with 
>>> network-namespaces. Imagine th use-case of a ssh-tunnel to a remote 
>>> machine: the local end of the tunnel is visible for all users of the 
>>> system, although authenticated only for the user who created it.
>>> It would be nice, if one can setup a new network-namespace for each 
>>> user session, so that the above ssh-tunnel local end is only visible 
>>> to the processes in this network-namespace.
>>
>> Ah, ok. Got it :)
>> Is's a nice idea.
>>> As described above I don't want to start a full container with a 
>>> sshd inside. I'm interested in restricting the access to a listening 
>>> port and the visibilty of this port a group of processes. These 
>>> processes are the descendents of the login/kdm-process.
>>
>> Hmm, the lxc tools isolates a lot of things by default, pid, ipc, 
>> utsname and mount points. The network is optional and configurable 
>> via a configuration file.
>>
>> There is no way to use only the network namespace with the lxc tools 
>> except by using the lxc-unshare but this one does not configure the 
>> network for you.
>
> Well, with the help of the lxc-tools source it should be possible to 
> code a pam-module for this purpose.
Yes, especially the netlink.[ch] + network.[ch] should be useful ;)

Be aware the network namespace isolates af_unix socket and creates a new 
loopback instance, hence you won't be able to use syslog, neither any 
rpc applications (eg. nfs, mountd, ...).

>
> I admit that I hadn't the time to do some testing with the lxc-tools, 
> but one question still remains:
>
> Imagine the case of a login/kdm: they fork a new process to perform 
> the login, that is this process uses the pam-stack. If we develop a 
> pam-module for network-namespace setup, this module can setup and 
> configure a veth-pair and then unshare the process from the original 
> network-namespace. But how can we then (after the unshare) move the 
> vethx from the original ns to the new ns? After the unshare the 
> veth-pair is unvisible to the login-process that has already called 
> the pam-module.
Correct.
> I can imagine a helper-process started before the unshare which waits 
> for the unshare to complete (some sort of trigger-mechnism neccessary) 
> and then does the veth-move. 
Yes, right. When I played with the network namespace using the unshare 
instead of the clone, I used this approach, with a sync pipe, that works 
well.

> Or is there a possibility the mark the veth-dev as to be moved when 
> the unshared-call happens?
This mechanism was not implemented because that can be done in userspace 
with a simple function doing what you described right before.

eg :  unshare_network(char *netdev[], size_t howmany);

> Thanks for yout comments!
You are welcome :)

Thanks
  -- Daniel




More information about the lxc-devel mailing list