[lxc-users] Unprivileged networking option?
Serge E. Hallyn
serge at hallyn.com
Fri Feb 28 19:09:45 UTC 2020
On Fri, Feb 28, 2020 at 02:34:25PM +0100, Ede Wolf wrote:
> Hello,
>
> do we have any alternatives to classical bridging right now for connecting
> (to) unprivileged containers? Like macvlan or ipvlan?
>
> If so, I may haved missed the documentation, otherwise, are there any plans
> to incorporate those options? Or maybe there are sound reasons not do at
> all?
Hi,
There are a few places where Dinesh has done presentations like
https://ostconf.com/en/materials/2478
about the idea of intercepting some core networking calls in containers,
from the container runtime. As a very barbaric example, you could run
the container under ptrace, intercept connect() and bind() calls, do those
actions on their behalf in the parent namespace, pass the sockets back,
and allow the container to proceed as if it had done the connection itself.
The somewhat recent seccomp-ptrace stuff should make that much more
civilized.
-serge
More information about the lxc-users
mailing list