Let's say I start a service on port 9001 in the namespace. Is there a way to access it outside on the host (maybe through port forwarding)?

Hi,

There is no flag for port forwarding yet (?) and the easiest way to achieve what you want may be disabling the network namespace with the --disable_clone_newnet flag, as in:

nsjail -Mo --disable_clone_newns --disable_proc --disable_clone_newnet -- /bin/nc -vvv -n -l -p 1234

(this hosts netcat on 0.0.0.0:1234)

Of course note that it will reduce the isolation and as a result the jailed process would also be able to hit any other network service on the host on any of its network interfaces.

Or to modify this slightly, something along

nsjail -R / --port 40000  -Ml -- /bin/bash -c 'nc -l -p 9001 & sleep 1; nc 127.0.0.1 9001'

The first nc should be your server listening on 9001. The sleep is to make sure the port will be open by the app before connection happens.

But, of course, this is for on-demand services. If you'd like to create a long running service in a net-namespace, then the design would have to be much more involved. Possibly we'd have to implement attaching to remote net namespaces in nsjail.

Something along unshare --net /proc/<pid>/ns/net.