On Thu, May 24, 2018 1:28 pm, Claudio Jeker wrote: > On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote: >> On Wed, May 23, 2018 4:35 am, Thomas Huber wrote: >> > Hi all, >> > >> > IÃ*´m just tinkering a little bit and try to mimic some >> "containerization" >> > on >> > OpenBSD with chroot. Is it somehow possible to attach a chrooted >> > envirionment to swtichd(8) ? >> > >> > Thanks >> > Thomas >> > >> >> OpenBSD's chroot is not like a Linux contianer or FreeBSD jail. There >> is >> no network isolation. Inside the chroot, you get all the same >> interfaces, >> IP's, routes, ports as on the "host" or in another chroot. So doing >> anything with the network in the chroot is exactly as same as doing it >> normally. >> >> If you want to isolate, you probably need vether or tap or the like to >> make virtual interfaces and manually tie them to whatever you have >> running >> in the chroots and muanully set up proxies or whatever you need to make >> services accessible. >> > > This is only partially true. If you use alternate routing tables or > rdomain, route -T <id> exec will get you network isolation. Processes can > not change the rtable unless they run as superuser. It is not perfect but > neither is the linux or freebsd solution when it comes to networking. > > -- > :wq Claudio >
Sorry, yes. I meant to mention rdomains, which I think it a pretty cool option worth tinkering with.
