[lxc-users] Unprivileged networking option?

Christian Brauner christian at brauner.io
Fri Feb 28 19:12:17 UTC 2020


On February 28, 2020 8:09:45 PM GMT+01:00, "Serge E. Hallyn" <serge at hallyn.com> wrote:
>On Fri, Feb 28, 2020 at 02:34:25PM +0100, Ede Wolf wrote:
>> Hello,
>> 
>> do we have any alternatives to classical bridging right now for
>connecting
>> (to) unprivileged containers? Like macvlan or ipvlan?
>> 
>> If so, I may haved missed the documentation, otherwise, are there any
>plans
>> to incorporate those options? Or maybe there are sound reasons not do
>at
>> all?
>
>Hi,
>
>
>There are a few places where Dinesh has done presentations like
>
>	https://ostconf.com/en/materials/2478
>
>about the idea of intercepting some core networking calls in
>containers,
>from the container runtime.  As a very barbaric example, you could run
>the container under ptrace, intercept connect() and bind() calls, do
>those
>actions on their behalf in the parent namespace, pass the sockets back,
>and allow the container to proceed as if it had done the connection
>itself.
>The somewhat recent seccomp-ptrace stuff should make that much more
>civilized.
>
>-serge
>_______________________________________________
>lxc-users mailing list
>lxc-users at lists.linuxcontainers.org
>http://lists.linuxcontainers.org/listinfo/lxc-users

You know I've landed pidfd_getfd() too, right? :)
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8649c322f75c96e7ced2fec201e123b2b073bf09


More information about the lxc-users mailing list