Date: Thu, 24 Dec 2020 16:22:14 +0000 From: Arthur Chance <freebsd@qeng-ho.org> To: Ihor Antonov <ihor@antonovs.family>, freebsd-questions@freebsd.org Subject: Re: Network namespaces in FreeBSD Message-ID: <9a80d70b-3f37-09ac-825f-c87e2c3e4925@qeng-ho.org> In-Reply-To: <25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family> References: <SG2PR01MB2443D481AC24AF7207218E0EF1DE0.ref@SG2PR01MB2443.apcprd01.prod.exchangelabs.com> <SG2PR01MB2443D481AC24AF7207218E0EF1DE0@SG2PR01MB2443.apcprd01.prod.exchangelabs.com> <20201223182227.da6c11d3604eb07bb4f18ce5@sohara.org> <A577602D-C1A9-4B6E-822E-03641A4070A0@FreeBSD.org> <2581038e-fa0f-231d-ae33-1b42d50c8600@antonovs.family> <e59209c3-af09-68e9-c78d-ddf70909f354@qeng-ho.org> <25fbf315-7aec-853c-cf69-a805805bd06e@antonovs.family>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24/12/2020 16:14, Ihor Antonov wrote: > On 12/24/20 1:07 AM, Arthur Chance wrote: >> On 23/12/2020 18:40, Ihor Antonov wrote: >>> On 12/23/20 10:32 AM, Kristof Provost wrote: >>>> On 23 Dec 2020, at 19:22, Steve O'Hara-Smith wrote: >>>>> On Wed, 23 Dec 2020 16:48:11 +0000 >>>>> Ameya Deshpande via freebsd-questions <freebsd-questions@freebsd.org> >>>>> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I am new to FreeBSD. I was wondering if there is concept like Network >>>>>> Namespaces in FreeBSD, like it is in Linux? >>>>> >>>>> There is something similar see man setfib for details. >>>>> >>>> I’ve only briefly played with linux network namespaces, but aren’t >>>> vnet jails much closer to that? >>> >>> I have more experience with Linux than with FreeBSD, so I don't know for >>> sure what setfib is about. >>> >>> VNET jails is the closest thing that comes to mind when comparing to >>> Linux network namespaces. Unlike Linux, in a jail you will get all other >>> namespaces separated too (e.g. mount, pid etc.) >>> >>> Unfortunately I don't know if it is possible to get exactly same >>> behavior as in Linux - share all other namespaces except for network >>> stack. I imagine you can get something like this with Capsicum, but it >>> would require making changes to the app. >> >> Wouldn't a VNET jail rooted at / effectively be that? >> > > Last time I played with jails setting jail's root to '/' was not allowed > for some reason. I don't remember exact error message though. I think that must have changed. Using a jail rooted at / used to be the recommended way of preventing rpcbind's wildcard listen from being a security loophole. I do remember that you can't nullfs mount / under itself. > I remember that I ended up null-mounting every directory in / (like bin, > sbin, etc,) to jail's root directory, and that was quite painful to do > manually. I'm increasingly thinking that the file system layout needs a rethink to be able to handle jails and minimal app style devices like firewalls. Sadly inertia (and standards) will prevent that from happening. -- The number of people predicting the demise of Moore's Law doubles every 18 months.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9a80d70b-3f37-09ac-825f-c87e2c3e4925>