Re: attach chroot-jail to switchd(8) ?
rdomain is interessting, wasn´t aware of that. thanks for this input Claudio. On 24 May 2018 at 19:58, trondd wrote: > On Thu, May 24, 2018 1:28 pm, Claudio Jeker wrote: > > On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote: > >> On Wed, May 23, 2018 4:35 am, Thomas Huber wrote: > >> > Hi all, > >> > > >> > IÃ*´m just tinkering a little bit and try to mimic some > >> "containerization" > >> > on > >> > OpenBSD with chroot. Is it somehow possible to attach a chrooted > >> > envirionment to swtichd(8) ? > >> > > >> > Thanks > >> > Thomas > >> > > >> > >> OpenBSD's chroot is not like a Linux contianer or FreeBSD jail. There > >> is > >> no network isolation. Inside the chroot, you get all the same > >> interfaces, > >> IP's, routes, ports as on the "host" or in another chroot. So doing > >> anything with the network in the chroot is exactly as same as doing it > >> normally. > >> > >> If you want to isolate, you probably need vether or tap or the like to > >> make virtual interfaces and manually tie them to whatever you have > >> running > >> in the chroots and muanully set up proxies or whatever you need to make > >> services accessible. > >> > > > > This is only partially true. If you use alternate routing tables or > > rdomain, route -T exec will get you network isolation. Processes can > > not change the rtable unless they run as superuser. It is not perfect but > > neither is the linux or freebsd solution when it comes to networking. > > > > -- > > :wq Claudio > > > > Sorry, yes. I meant to mention rdomains, which I think it a pretty cool > option worth tinkering with. > > -- +49.179.1448024 Karl-Kunger-Straße 68 D - 12435 Berlin
Re: attach chroot-jail to switchd(8) ?
On Thu, May 24, 2018 1:28 pm, Claudio Jeker wrote: > On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote: >> On Wed, May 23, 2018 4:35 am, Thomas Huber wrote: >> > Hi all, >> > >> > IÃ*´m just tinkering a little bit and try to mimic some >> "containerization" >> > on >> > OpenBSD with chroot. Is it somehow possible to attach a chrooted >> > envirionment to swtichd(8) ? >> > >> > Thanks >> > Thomas >> > >> >> OpenBSD's chroot is not like a Linux contianer or FreeBSD jail. There >> is >> no network isolation. Inside the chroot, you get all the same >> interfaces, >> IP's, routes, ports as on the "host" or in another chroot. So doing >> anything with the network in the chroot is exactly as same as doing it >> normally. >> >> If you want to isolate, you probably need vether or tap or the like to >> make virtual interfaces and manually tie them to whatever you have >> running >> in the chroots and muanully set up proxies or whatever you need to make >> services accessible. >> > > This is only partially true. If you use alternate routing tables or > rdomain, route -T exec will get you network isolation. Processes can > not change the rtable unless they run as superuser. It is not perfect but > neither is the linux or freebsd solution when it comes to networking. > > -- > :wq Claudio > Sorry, yes. I meant to mention rdomains, which I think it a pretty cool option worth tinkering with.
Re: attach chroot-jail to switchd(8) ?
On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote: > On Wed, May 23, 2018 4:35 am, Thomas Huber wrote: > > Hi all, > > > > I´m just tinkering a little bit and try to mimic some "containerization" > > on > > OpenBSD with chroot. Is it somehow possible to attach a chrooted > > envirionment to swtichd(8) ? > > > > Thanks > > Thomas > > > > OpenBSD's chroot is not like a Linux contianer or FreeBSD jail. There is > no network isolation. Inside the chroot, you get all the same interfaces, > IP's, routes, ports as on the "host" or in another chroot. So doing > anything with the network in the chroot is exactly as same as doing it > normally. > > If you want to isolate, you probably need vether or tap or the like to > make virtual interfaces and manually tie them to whatever you have running > in the chroots and muanully set up proxies or whatever you need to make > services accessible. > This is only partially true. If you use alternate routing tables or rdomain, route -T exec will get you network isolation. Processes can not change the rtable unless they run as superuser. It is not perfect but neither is the linux or freebsd solution when it comes to networking. -- :wq Claudio
Re: attach chroot-jail to switchd(8) ?
On Wed, May 23, 2018 4:35 am, Thomas Huber wrote: > Hi all, > > I´m just tinkering a little bit and try to mimic some "containerization" > on > OpenBSD with chroot. Is it somehow possible to attach a chrooted > envirionment to swtichd(8) ? > > Thanks > Thomas > OpenBSD's chroot is not like a Linux contianer or FreeBSD jail. There is no network isolation. Inside the chroot, you get all the same interfaces, IP's, routes, ports as on the "host" or in another chroot. So doing anything with the network in the chroot is exactly as same as doing it normally. If you want to isolate, you probably need vether or tap or the like to make virtual interfaces and manually tie them to whatever you have running in the chroots and muanully set up proxies or whatever you need to make services accessible.
Re: attach chroot-jail to switchd(8) ?
I can appreciate the spirit of that. Carry on good sir. Ken On Thu, May 24, 2018 at 01:19:07PM +0200, Thomas Huber wrote: > Hi Ken, > > sure, thats the way to go for docker, kubernetes and [add buzzword here]. > The _why_ is more about tinkering and getting deeper into the rabbit-hole. > > Thomas > > > On 24 May 2018 at 12:51, Ken M wrote: > > > > I want to ask the question of why? And why this way? I think if you want > docker > > like functionality, just add docker to openbsd. The best way to do so is > to add > > a lightweight linux into vmm and connect to that docker daemon. Alpine or > > Rancher are probably the best bet for that. > > > > I say nothing on the security of that. But at least you also get the > critical > > mass of pre-built images from the docker world. To me that is the real > value of > > docker anyway. As a containerization system I do not like it, but as a > means to > > make the OS less of a factor to an install, absolutely. > > > > Just my thoughts. > > > > On Thu, May 24, 2018 at 11:28:13AM +0200, Thomas Huber wrote: > > > Hi Reyk, > > > > > > no it is not about chroot-ing switchd. > > > What i have in mind is a kind of poor-mans kubernetes or docker-swarm > which > > > makes use of chroot(8), login.conf(5) and mount_vnd(8) to isolate, limit > > > and encapsulate some processes. > > > I´ll call this the "chroot-jail" and thought it is common wording after > > > reading about this topic across the internet. > > > Like in this (kind of outdated) tutorial: > > > > https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot > > > The chroot-jail is basically a extracted base##.tgz plus dev, some users > > > and configs. > > > What I have in mind now with switchd is, to attach this chroot-jails the > > > same way like a virtual-machine. > > > > > > But also not sure if this makes sense anyway. > > > It´s more I kind of learning project for myself to see how things work > and > > > if they play nicely together. > > > And if this set-up works I´ld go on and use ansible to automate and to > > > "orchestrate" this parts. > > > > > > Thomas > > > > > > > > > > > > On 24 May 2018 at 00:35, Reyk Floeter wrote: > > > > > > > > switchd is already privsep‘ed with a chroot jail. > > > > > > > > But I don’t quite understand what you mean. > > > > > > > > > Am 23.05.2018 um 10:35 schrieb Thomas Huber : > > > > > > > > > > Hi all, > > > > > > > > > > I´m just tinkering a little bit and try to mimic some > > > "containerization" on > > > > > OpenBSD with chroot. Is it somehow possible to attach a chrooted > > > > > envirionment to swtichd(8) ? > > > > > > > > > > Thanks > > > > > Thomas > >
Re: attach chroot-jail to switchd(8) ?
Hi Ken, sure, thats the way to go for docker, kubernetes and [add buzzword here]. The _why_ is more about tinkering and getting deeper into the rabbit-hole. Thomas On 24 May 2018 at 12:51, Ken M wrote: > > I want to ask the question of why? And why this way? I think if you want docker > like functionality, just add docker to openbsd. The best way to do so is to add > a lightweight linux into vmm and connect to that docker daemon. Alpine or > Rancher are probably the best bet for that. > > I say nothing on the security of that. But at least you also get the critical > mass of pre-built images from the docker world. To me that is the real value of > docker anyway. As a containerization system I do not like it, but as a means to > make the OS less of a factor to an install, absolutely. > > Just my thoughts. > > On Thu, May 24, 2018 at 11:28:13AM +0200, Thomas Huber wrote: > > Hi Reyk, > > > > no it is not about chroot-ing switchd. > > What i have in mind is a kind of poor-mans kubernetes or docker-swarm which > > makes use of chroot(8), login.conf(5) and mount_vnd(8) to isolate, limit > > and encapsulate some processes. > > I´ll call this the "chroot-jail" and thought it is common wording after > > reading about this topic across the internet. > > Like in this (kind of outdated) tutorial: > > https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot > > The chroot-jail is basically a extracted base##.tgz plus dev, some users > > and configs. > > What I have in mind now with switchd is, to attach this chroot-jails the > > same way like a virtual-machine. > > > > But also not sure if this makes sense anyway. > > It´s more I kind of learning project for myself to see how things work and > > if they play nicely together. > > And if this set-up works I´ld go on and use ansible to automate and to > > "orchestrate" this parts. > > > > Thomas > > > > > > > > On 24 May 2018 at 00:35, Reyk Floeter wrote: > > > > > > switchd is already privsep‘ed with a chroot jail. > > > > > > But I don’t quite understand what you mean. > > > > > > > Am 23.05.2018 um 10:35 schrieb Thomas Huber : > > > > > > > > Hi all, > > > > > > > > I´m just tinkering a little bit and try to mimic some > > "containerization" on > > > > OpenBSD with chroot. Is it somehow possible to attach a chrooted > > > > envirionment to swtichd(8) ? > > > > > > > > Thanks > > > > Thomas >
Re: attach chroot-jail to switchd(8) ?
I want to ask the question of why? And why this way? I think if you want docker like functionality, just add docker to openbsd. The best way to do so is to add a lightweight linux into vmm and connect to that docker daemon. Alpine or Rancher are probably the best bet for that. I say nothing on the security of that. But at least you also get the critical mass of pre-built images from the docker world. To me that is the real value of docker anyway. As a containerization system I do not like it, but as a means to make the OS less of a factor to an install, absolutely. Just my thoughts. On Thu, May 24, 2018 at 11:28:13AM +0200, Thomas Huber wrote: > Hi Reyk, > > no it is not about chroot-ing switchd. > What i have in mind is a kind of poor-mans kubernetes or docker-swarm which > makes use of chroot(8), login.conf(5) and mount_vnd(8) to isolate, limit > and encapsulate some processes. > I´ll call this the "chroot-jail" and thought it is common wording after > reading about this topic across the internet. > Like in this (kind of outdated) tutorial: > https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot > The chroot-jail is basically a extracted base##.tgz plus dev, some users > and configs. > What I have in mind now with switchd is, to attach this chroot-jails the > same way like a virtual-machine. > > But also not sure if this makes sense anyway. > It´s more I kind of learning project for myself to see how things work and > if they play nicely together. > And if this set-up works I´ld go on and use ansible to automate and to > "orchestrate" this parts. > > Thomas > > > > On 24 May 2018 at 00:35, Reyk Floeter wrote: > > > > switchd is already privsep‘ed with a chroot jail. > > > > But I don’t quite understand what you mean. > > > > > Am 23.05.2018 um 10:35 schrieb Thomas Huber : > > > > > > Hi all, > > > > > > I´m just tinkering a little bit and try to mimic some > "containerization" on > > > OpenBSD with chroot. Is it somehow possible to attach a chrooted > > > envirionment to swtichd(8) ? > > > > > > Thanks > > > Thomas
Re: attach chroot-jail to switchd(8) ?
Hi Reyk, no it is not about chroot-ing switchd. What i have in mind is a kind of poor-mans kubernetes or docker-swarm which makes use of chroot(8), login.conf(5) and mount_vnd(8) to isolate, limit and encapsulate some processes. I´ll call this the "chroot-jail" and thought it is common wording after reading about this topic across the internet. Like in this (kind of outdated) tutorial: https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot The chroot-jail is basically a extracted base##.tgz plus dev, some users and configs. What I have in mind now with switchd is, to attach this chroot-jails the same way like a virtual-machine. But also not sure if this makes sense anyway. It´s more I kind of learning project for myself to see how things work and if they play nicely together. And if this set-up works I´ld go on and use ansible to automate and to "orchestrate" this parts. Thomas On 24 May 2018 at 00:35, Reyk Floeter wrote: > > switchd is already privsep‘ed with a chroot jail. > > But I don’t quite understand what you mean. > > > Am 23.05.2018 um 10:35 schrieb Thomas Huber : > > > > Hi all, > > > > I´m just tinkering a little bit and try to mimic some "containerization" on > > OpenBSD with chroot. Is it somehow possible to attach a chrooted > > envirionment to swtichd(8) ? > > > > Thanks > > Thomas
Re: attach chroot-jail to switchd(8) ?
switchd is already privsep‘ed with a chroot jail. But I don’t quite understand what you mean. > Am 23.05.2018 um 10:35 schrieb Thomas Huber : > > Hi all, > > I´m just tinkering a little bit and try to mimic some "containerization" on > OpenBSD with chroot. Is it somehow possible to attach a chrooted > envirionment to swtichd(8) ? > > Thanks > Thomas
attach chroot-jail to switchd(8) ?
Hi all, I´m just tinkering a little bit and try to mimic some "containerization" on OpenBSD with chroot. Is it somehow possible to attach a chrooted envirionment to swtichd(8) ? Thanks Thomas