[lxc-users] Unprivileged networking option?

Serge E. Hallyn serge at hallyn.com
Fri Feb 28 19:15:09 UTC 2020


On Fri, Feb 28, 2020 at 08:12:17PM +0100, Christian Brauner wrote:
> On February 28, 2020 8:09:45 PM GMT+01:00, "Serge E. Hallyn" <serge at hallyn.com> wrote:
> >On Fri, Feb 28, 2020 at 02:34:25PM +0100, Ede Wolf wrote:
> >> Hello,
> >> 
> >> do we have any alternatives to classical bridging right now for
> >connecting
> >> (to) unprivileged containers? Like macvlan or ipvlan?
> >> 
> >> If so, I may haved missed the documentation, otherwise, are there any
> >plans
> >> to incorporate those options? Or maybe there are sound reasons not do
> >at
> >> all?
> >
> >Hi,
> >
> >
> >There are a few places where Dinesh has done presentations like
> >
> >	https://ostconf.com/en/materials/2478
> >
> >about the idea of intercepting some core networking calls in
> >containers,
> >from the container runtime.  As a very barbaric example, you could run
> >the container under ptrace, intercept connect() and bind() calls, do
> >those
> >actions on their behalf in the parent namespace, pass the sockets back,
> >and allow the container to proceed as if it had done the connection
> >itself.
> >The somewhat recent seccomp-ptrace stuff should make that much more
> >civilized.
> >
> >-serge
> >_______________________________________________
> >lxc-users mailing list
> >lxc-users at lists.linuxcontainers.org
> >http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> You know I've landed pidfd_getfd() too, right? :)
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8649c322f75c96e7ced2fec201e123b2b073bf09

sweet.

but have you put it all together and put a bow on it yet :)

thanks,
-serge


More information about the lxc-users mailing list