[lxc-devel] per-session network namespace question

Wilhelm Meier wilhelm.meier at fh-kl.de
Thu Oct 22 04:12:43 UTC 2009 


Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>>
>>
>> Daniel Lezcano schrieb:
>>> Wilhelm Meier wrote:
>>>> Hi,
>>>>
>>>> Daniel Lezcano schrieb:
>>>>> Wilhelm Meier wrote:
>>>>>> Hi,
>>>>>>   
>>>>>
>>>>> Hi Wilheim,
>>>>>
>>>>> I am not sure I understand your question. Can you elaborate a 
>>>>> little bit ?
>>>>
>>>> ok:
>>>> I would like to compare the desired function with pam_namespace: 
>>>> using pam_namespace (or fs-namespaces in general) one could setup a 
>>>> new fs-namespace if a user logs into the system. That is, mount into 
>>>> this namespace are not visible from outside this namespace. This is 
>>>> especially useful for multiseat-systems, where every user makes his 
>>>> own mounts for e.g. local devices.
>>>>
>>>> So, what I'm looking for is the ability to do the same with 
>>>> network-namespaces. Imagine th use-case of a ssh-tunnel to a remote 
>>>> machine: the local end of the tunnel is visible for all users of the 
>>>> system, although authenticated only for the user who created it.
>>>> It would be nice, if one can setup a new network-namespace for each 
>>>> user session, so that the above ssh-tunnel local end is only visible 
>>>> to the processes in this network-namespace.
>>>
>>> Ah, ok. Got it :)
>>> Is's a nice idea.
>>>> As described above I don't want to start a full container with a 
>>>> sshd inside. I'm interested in restricting the access to a listening 
>>>> port and the visibilty of this port a group of processes. These 
>>>> processes are the descendents of the login/kdm-process.
>>>
>>> Hmm, the lxc tools isolates a lot of things by default, pid, ipc, 
>>> utsname and mount points. The network is optional and configurable 
>>> via a configuration file.
>>>
>>> There is no way to use only the network namespace with the lxc tools 
>>> except by using the lxc-unshare but this one does not configure the 
>>> network for you.
>>
>> Well, with the help of the lxc-tools source it should be possible to 
>> code a pam-module for this purpose.
> Yes, especially the netlink.[ch] + network.[ch] should be useful ;)
> 
> Be aware the network namespace isolates af_unix socket 

Does this mean that a process in the new network namespace can't 
reach/connect a socket that was created in another namespace but visible 
in the filesystem. An important example would be the dbus-socket in 
/var/run/dbus for the system-dbus instance.

If this is the case is there a way to circumvent the problem (for dbus: 
afaik one can create an additional dbus listen address, so it should be 
possible to setup a tcp-listen-address on the vethx interface in the 
root network-namespace)

and creates a new
> loopback instance, hence you won't be able to use syslog, neither any 
> rpc applications (eg. nfs, mountd, ...).
> 
>>
>> I admit that I hadn't the time to do some testing with the lxc-tools, 
>> but one question still remains:
>>
>> Imagine the case of a login/kdm: they fork a new process to perform 
>> the login, that is this process uses the pam-stack. If we develop a 
>> pam-module for network-namespace setup, this module can setup and 
>> configure a veth-pair and then unshare the process from the original 
>> network-namespace. But how can we then (after the unshare) move the 
>> vethx from the original ns to the new ns? After the unshare the 
>> veth-pair is unvisible to the login-process that has already called 
>> the pam-module.
> Correct.
>> I can imagine a helper-process started before the unshare which waits 
>> for the unshare to complete (some sort of trigger-mechnism neccessary) 
>> and then does the veth-move. 
> Yes, right. When I played with the network namespace using the unshare 
> instead of the clone, I used this approach, with a sync pipe, that works 
> well.
> 
>> Or is there a possibility the mark the veth-dev as to be moved when 
>> the unshared-call happens?
> This mechanism was not implemented because that can be done in userspace 
> with a simple function doing what you described right before.
> 
> eg :  unshare_network(char *netdev[], size_t howmany);
> 
>> Thanks for yout comments!
> You are welcome :)
> 
> Thanks
>  -- Daniel
>  From - Mon

-- 
Wilhelm

More information about the lxc-devel mailing list