On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote: > On Wed, May 23, 2018 4:35 am, Thomas Huber wrote: > > Hi all, > > > > I´m just tinkering a little bit and try to mimic some "containerization" > > on > > OpenBSD with chroot. Is it somehow possible to attach a chrooted > > envirionment to swtichd(8) ? > > > > Thanks > > Thomas > > > > OpenBSD's chroot is not like a Linux contianer or FreeBSD jail. There is > no network isolation. Inside the chroot, you get all the same interfaces, > IP's, routes, ports as on the "host" or in another chroot. So doing > anything with the network in the chroot is exactly as same as doing it > normally. > > If you want to isolate, you probably need vether or tap or the like to > make virtual interfaces and manually tie them to whatever you have running > in the chroots and muanully set up proxies or whatever you need to make > services accessible. >
This is only partially true. If you use alternate routing tables or rdomain, route -T <id> exec will get you network isolation. Processes can not change the rtable unless they run as superuser. It is not perfect but neither is the linux or freebsd solution when it comes to networking. -- :wq Claudio
