TransWikia.com

Firejail/Network namespaces without sudo

Unix & Linux Asked by user27221 on January 28, 2021

I think this is kind of a basic question:

Related questions:

What script could allow regular users to use network namespaces?

Block network access of a process?

I want to start a process, which will call some other processes and they will run on a network. There will be some routing necessary, since it is running something like a cluster.

What I want to know is if there is a way to create custom routing rules in an application level, so that:

(1.) Once the application closes my main iptables is intact

(2.) This environment is encapsulated so I can do easier rules if I want to run slightly different versions of the application (I will never use this, but it would be nice…)

(3.) I can implement something like: for this pid ( or everything that is a fork of this ) here is the iptables you should use

I googled a bit and found out maybe I want to use firejail with network-namespaces. But I also want to create the namespace (and its relative iptables) on the fly and I would like to be able to do this without the need for sudo.

Is this possible?

If it is with firejail, how would I do that?

Actually, how can I do this with any tool?

Perhaps relevant:

Why do I want to do this? I actually want to do a bit of reinventing the wheel and change some parts of docker networking to interface with ROS better. I perhaps do not understand docker-compose and docker-swarm enough. The way I implemented access to docker containers inside a given machine was by handling the routing myself with routing rules, this way I could build a cluster with both docker and non-docker ros nodes. There is probably a docker way of doing this, but I couldn’t figure it out.

I believe that to finish this implementation I need to give roscore "docker-swarm controller powers" and route everything within a rosmaster together. I’ve created some scripts for this in the past where I add all the necessary routing and register ssh keys, which is perhaps also not the best and I should have just used docker-swarm. My issue with docker swarm is that I cannot use properly services (can services even be run in interactive mode?) and the development stack (with a catkin workspace which is a remote file system [sshfs] inside a docker that needs to be compiled upon change) is rather convoluted so it would be better to concentrate all of this complexity and try to do it in the same place.

I understand that docker containers are also namespaced, but as namespaces are hierarchical, I think it should still work.

There are additional problems with this idea, but I want to see how far along I can push it. I have the basics working, but if I can get the networking solved without sudo and external scripts, I think this can start to be usable by other people.

network namespaces

Add your own answers!

Ask a Question

Get help from others!

Recent Questions

Recent Answers

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP