gvisor icon indicating copy to clipboard operation
gvisor copied to clipboard

Published 20 hours ago verified publisher icon google

Adding firewall to /proc/{id}/... network namespace is not working

Open jeyaprabhuj-tts opened this issue 2 years ago • 5 comments

Description

Adding firewall rules to network namespace based on /proc/{proc id}/ns/net, works correctly runc

The same does not work with runsc .

Steps to reproduce

No response

runsc version

No response

docker version (if using docker)

No response

uname

No response

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response

jeyaprabhuj-tts avatar Feb 10 '22 14:02 jeyaprabhuj-tts

This is not supported. runsc does not support firewall rules yet. Please add the details you provided on the chat and as I said there I am not sure what the intention of this is supposed to be and why doing it on the host side is not sufficient.

hbhasker avatar Feb 11 '22 06:02 hbhasker

We are trying in Host only

Steps Execute docker and get pid for container First map docker pid namespace from /proc/{proc id}/ns/net to /var/run/net/ e.g. gvisor_con1

Then exec commands sudo ip netns exec gvisor_con1 ip route add blockhole 8.8.8.8

This blocks ping to 8.8.8.8 ,from inside container started with runc Same does not work with runsc

https://www.thegeekdiary.com/how-to-access-docker-containers-network-namespace-from-host/

jeyaprabhuj-tts avatar Feb 11 '22 07:02 jeyaprabhuj-tts

The sandbox is not using the host networking stack, so routing rules in the netns will not be respected. You can apply rules to the outside on the bridge (depends on the exact network setup) to be enforced.

This is the normal mechanism for e.g. k8s network policies, since otherwise a container with NET_ADMIN would be able to change its own rules.

In general visibility into the sandbox will not use the normal host mechanisms, since the application inside the sandbox is not running on the host kernel directly (e.g. ps will also not show sandbox processes directly).

amscanne avatar Feb 11 '22 15:02 amscanne

@amscanne @hbhasker

We have a setup where one IOT device having multiple customer containers, each one needs to have separate firewall rule.

Do you suggest to create 5 bridges for 5 customers and apply rules for each bridge? If above is wrong, can you suggest an approach.

jeyaprabhuj-tts avatar Feb 13 '22 14:02 jeyaprabhuj-tts

@jeyaprabhuj-tts you should be able to create the firewall rules on the bridge interface, that use a source or destination of the container IP as part of the rule. I doubt you need 5 separate bridges to create a rule structure that you need.

knisbet avatar May 01 '22 02:05 knisbet

A friendly reminder that this issue had no activity for 120 days.

github-actions[bot] avatar Sep 13 '23 00:09 github-actions[bot]