Comments (9)
Maybe
--iface_own
will work for you? It doesn't need --disable_clone_newnet
, but will require running from root.
The idea is to create a veth pait, and then
nsjail --iface_own [one_of_veths]
from nsjail.
Just a small followup: it seems like veth might be a good alternative to macvlan in this scenario.
from nsjail.
@q3k was interested in cleaning-up this area. Serge, do you still have any plans to work on that? If not, I might take a look at some point in the future.
@rfw If you feel strongly about that, feel free to propose some ideas or/and code
from nsjail.
I've managed to kludge around it by creating a veth interface and adding a macvlan on the veth interface's peer – it works, but it's not pretty.
I took a stab at changing the code to support veth directly but wasn't sure how you'd like the command line interface to look for different network types.
from nsjail.
What about starting with the config file (in protobuf). Maybe creating a message (subsection) like Networking would be good?
from nsjail.
Is anybody working on a branch with these proposed changes somewhere? I'm considering adding a --phys_interface option for the (admittedly less common) case where there is a spare physical interface available to dedicate to a server running in a container, and don't want to have a bunch of conflicts with similar changes being worked on elsewhere.
from nsjail.
Some time ago I was thinking of ripping out SLIRP code from QEmu to create a userspace NAT for nsjail containers. However, I haven't yet had time to do this yet, especially as that code is quite ugly (and the licensing issue is nontrivial, too). I then yakshaved this into thinking of recreating a SLIRP alternative. And then I left Google :).
If anyone wants to take this on, I wouldn't mind - it seems like a fairly fun and self-contained project. Otherwise I might take a look some day.
from nsjail.
For anyone out there, currently worked around this issue by using --disable_clone_newnet .
Example:
# This whole netns and veth thing is a
# workaround because nsjail doesn't support
# veth yet, see https://github.com/google/nsjail/issues/20
ip link set dev boxveth1 down || true
ip link delete boxveth1 || true
ip netns delete boxns || true
ip link add boxveth1 type veth peer name boxveth2
ip netns add boxns
ip link set boxveth2 netns boxns
ip link set dev boxveth1 up
ifconfig boxveth1 10.1.1.1/24 up
ip netns exec boxns ip link set dev boxveth2 up
ip netns exec boxns ifconfig boxveth2 10.1.1.2/24 up
exec ip netns exec boxns nsjail --disable_clone_newnet ...
from nsjail.
@robertswiecki Ah, thank you! my package manager was using an old version, updating gave me this option.
from nsjail.
Related Issues (20)
- Add millisecond precision to nsjail logs HOT 1
- Package nsjail for ease of installation on Linux
- Build fails on armv7l (32 bit) HOT 2
- mnt:mountPt fails with invalid argument HOT 1
- Better fs isolation HOT 2
- Using nsjail with GPU and OpenGL HOT 1
- Include installation instructions in the README HOT 1
- Compilation fails HOT 1
- Making configs
- Updated vendored kafel to enable build on gcc13 HOT 1
- Python Tracing and Runtime security
- Build failed on arm64 with clang-15 HOT 1
- Build Fails when compiling on musl-libc system HOT 6
- config.cc uses old protobuf log handling API that was removed in protobuf 22.0 HOT 1
- SIGTERM Default Handler Issue HOT 1
- Exploring nsjail for Application Isolation with ROS2 HOT 1
- Error while loading shared libraries only when using config file HOT 9
- bind mounted /var/run/netns acts differently if nsjail started before or after network namespace is created HOT 1
- IPC resources should be explicitly cleaned up upon jail exit
- Invalid Argument - clone(flags=CLONE_NEWNS|CLONE_NEWCGROUP|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWUSER|CLONE_NEWPID) failed HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nsjail.