Adding firewall to /proc/{id}/... network namespace is not working

Question

Adding firewall to /proc/{id}/... network namespace is not working

jeyaprabhuj-tts opened this issue 2 years ago · comments

jeyaprabhuj-tts commented 2 years ago

Description

Adding firewall rules to network namespace based on /proc/{proc id}/ns/net, works correctly runc

The same does not work with runsc .

Steps to reproduce

No response

runsc version

No response

docker version (if using docker)

No response

uname

No response

kubectl (if using Kubernetes)

No response

repo state (if built from source)

No response

runsc debug logs (if available)

No response

Bhasker Hariharan · Answer 1 · Fri Feb 11 2022 14:19:19 GMT+0800 (China Standard Time)

This is not supported. runsc does not support firewall rules yet. Please add the details you provided on the chat and as I said there I am not sure what the intention of this is supposed to be and why doing it on the host side is not sufficient.

jeyaprabhuj-tts · Answer 2 · Fri Feb 11 2022 15:33:57 GMT+0800 (China Standard Time)

We are trying in Host only

Steps
Execute docker and get pid for container
First map docker pid namespace from /proc/{proc id}/ns/net to /var/run/net/ e.g. gvisor_con1

Then exec commands
sudo ip netns exec gvisor_con1 ip route add blockhole 8.8.8.8

This blocks ping to 8.8.8.8 ,from inside container started with runc
Same does not work with runsc

https://www.thegeekdiary.com/how-to-access-docker-containers-network-namespace-from-host/

Adin Scannell · Answer 3 · Fri Feb 11 2022 23:24:05 GMT+0800 (China Standard Time)

The sandbox is not using the host networking stack, so routing rules in the netns will not be respected. You can apply rules to the outside on the bridge (depends on the exact network setup) to be enforced.

This is the normal mechanism for e.g. k8s network policies, since otherwise a container with NET_ADMIN would be able to change its own rules.

In general visibility into the sandbox will not use the normal host mechanisms, since the application inside the sandbox is not running on the host kernel directly (e.g. ps will also not show sandbox processes directly).

jeyaprabhuj-tts · Answer 4 · Sun Feb 13 2022 22:36:48 GMT+0800 (China Standard Time)

@amscanne @hbhasker

We have a setup where one IOT device having multiple customer containers, each one needs to have separate firewall rule.

Do you suggest to create 5 bridges for 5 customers and apply rules for each bridge?
If above is wrong, can you suggest an approach.

Kevin Nisbet · Answer 5 · Sun May 01 2022 10:51:10 GMT+0800 (China Standard Time)

@jeyaprabhuj-tts you should be able to create the firewall rules on the bridge interface, that use a source or destination of the container IP as part of the rule. I doubt you need 5 separate bridges to create a rule structure that you need.

github-actions · Answer 6 · Wed Sep 13 2023 08:19:40 GMT+0800 (China Standard Time)

A friendly reminder that this issue had no activity for 120 days.