rdomain is interessting, wasn´t aware of that. thanks for this input Claudio.
On 24 May 2018 at 19:58, trondd <tro...@kagu-tsuchi.com> wrote: > On Thu, May 24, 2018 1:28 pm, Claudio Jeker wrote: > > On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote: > >> On Wed, May 23, 2018 4:35 am, Thomas Huber wrote: > >> > Hi all, > >> > > >> > IÃ*´m just tinkering a little bit and try to mimic some > >> "containerization" > >> > on > >> > OpenBSD with chroot. Is it somehow possible to attach a chrooted > >> > envirionment to swtichd(8) ? > >> > > >> > Thanks > >> > Thomas > >> > > >> > >> OpenBSD's chroot is not like a Linux contianer or FreeBSD jail. There > >> is > >> no network isolation. Inside the chroot, you get all the same > >> interfaces, > >> IP's, routes, ports as on the "host" or in another chroot. So doing > >> anything with the network in the chroot is exactly as same as doing it > >> normally. > >> > >> If you want to isolate, you probably need vether or tap or the like to > >> make virtual interfaces and manually tie them to whatever you have > >> running > >> in the chroots and muanully set up proxies or whatever you need to make > >> services accessible. > >> > > > > This is only partially true. If you use alternate routing tables or > > rdomain, route -T <id> exec will get you network isolation. Processes can > > not change the rtable unless they run as superuser. It is not perfect but > > neither is the linux or freebsd solution when it comes to networking. > > > > -- > > :wq Claudio > > > > Sorry, yes. I meant to mention rdomains, which I think it a pretty cool > option worth tinkering with. > > -- +49.179.1448024 Karl-Kunger-Straße 68 D - 12435 Berlin
