hologram icon indicating copy to clipboard operation
hologram copied to clipboard

Published 20 hours ago verified publisher icon AdRoll

A fancy network-namespaced Hologram agent on Linux

Open copumpkin opened this issue 9 years ago • 2 comments

I've experimented a bit with network namespaces on Linux and have been able to arrange for different processes to get different views of http://169.254.169.254.

What I would love is the ability to hologram different programs and shells independently. So I can keep one hologram pointing at one account in one terminal tab, and another hologram at a different account in another terminal tab. Given the network namespace work is done (I can post a sample script if it helps), I think this would be fairly easy.

Ultimately, I think it would make sense to break down the agent as follows:

  1. A component that can serve up an EC2 metadata simulation with credentials supplied somehow (not necessarily hologram server; I have another use case mind which I might elaborate on in another ticket)
  2. A hook for (1) that lets it get its credentials from the Hologram server
  3. A user-facing program (perhaps called inrole or similar) that can set up the network namespaces as needed and spin up a one-off instance of (1) for the namespace.

After that, we can do things like:

inrole account1 role1 /bin/bash inrole account3 role5 aws iam list-account-aliases

And then all the Mac OS users (me included) are sad.

Thoughts?

copumpkin avatar Oct 05 '15 17:10 copumpkin

I'd prefer to not create a disparity between OS X and Linux users. I really appreciate the research you've done here, but until/unless we figure out how to make it cross-platform I'm not sure it fits in Hologram right now. Is there perhaps something that we can do with pfctl?

gaylatea avatar Oct 06 '15 04:10 gaylatea

That's the issue; I don't think it's possible to emulate on Mac OS, at least at this stage. The pf in Mac OS lets me create rules by UID/GID, but not PID. The only option I could think of on that platform is to create a big pile of dummy users that we can setuid to when running processes, but unfortunately I think that setuid would have other undesirable consequences around file access and other permissions.

At the same time, it seems unfortunate not to offer this functionality (which I have wanted repeatedly in my daily use of hologram) on a platform that can support it.

copumpkin avatar Oct 06 '15 11:10 copumpkin