From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 2EWjFlgPuF80BwAA0tVLHw (envelope-from ) for ; Fri, 20 Nov 2020 18:47:52 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id kHtzElgPuF/dPAAAbx9fmQ (envelope-from ) for ; Fri, 20 Nov 2020 18:47:52 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id DC2039401BC for ; Fri, 20 Nov 2020 18:47:51 +0000 (UTC) Received: from localhost ([::1]:52374 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kgBRl-0001JM-8B for larch@yhetil.org; Fri, 20 Nov 2020 13:47:49 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:38922) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgBOV-0007hK-VN for help-guix@gnu.org; Fri, 20 Nov 2020 13:44:27 -0500 Received: from mail-wr1-x435.google.com ([2a00:1450:4864:20::435]:32825) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kgBOU-00043G-68 for help-guix@gnu.org; Fri, 20 Nov 2020 13:44:27 -0500 Received: by mail-wr1-x435.google.com with SMTP id u12so11096887wrt.0 for ; Fri, 20 Nov 2020 10:44:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=550k3o4YOojdPYr5NXo3yPXu0foal80eP2t+iV3Tkvo=; b=mgHfNrW2xZOYHOTvhSSiYpc3TLUgAKRItzjstjLhIDPA+9zXNmqmSm4J0tTGSpewoI FXSfnJ7Tgn3iQsjtiCvYi8U+i3DFYYIMQnEld3fXRSk73kLsqUr3B/msoEUeQ5v3jOSQ VcHIvdJkHNEk52Slc97O7Jn4mr7ERLhtrBhkjA5kkZ8A0vCR/9Xd4ikc3ZRNkOFF8YeU UQWFtzE6QlvS5+IjtZnnr9JC/+s/eqxfkoUBxPxCuFYzvFI8ikDjnsGBxe02Ay4h5iAw QZ8Aw54Os4Ow6ijiMv4sv9FoaJp933lH/xidnlt8e5lNrq5u7goxOw3XZ6GH0ZmEHGRr hPeQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=550k3o4YOojdPYr5NXo3yPXu0foal80eP2t+iV3Tkvo=; b=D6n796noMoS6JJDeX65PUoRM+ev12CwZfKAUcu1NATHm1TmGfpIpqlyT+DkspaC+3N Svy7AHl9+rEgVgGrVsrg8DUwaW1R5I2WwAlIr1nU0HRB92Fh54AcKfz0L8r6S1aqs6sM t6hJ0sBkEMkiwvs6sPuPhxj5c69EKTSqgJxXrUJ/rnUNwdAWI4Kgg5z090r/kaJXqEqc faqOTUz4xSrUsb8DDah/ST+y/arxvnerXhtCoiWlmlLSfa4Ym77S1O2c4MotL7dxOzVC hbom0gpjVIu+KYlJxX7ouXuC7a/zf2igw1r8nMLmexN2YlmQdLlC/7jC4DmuMkwo5v3a nu4w== X-Gm-Message-State: AOAM530I3G0YacuwHSwOAW+Qwvjljq/3Zb0N36R6MkV1Hs8m4287txmG X1JXfx4FHA1FBWhkBPnmG5UZtKiDU8cq3g== X-Google-Smtp-Source: ABdhPJyjHi5tqdY7hcH6DtlX+/RygAm1/yYdpfJxeMBGU2hw/oHv64Vg3s24W2XY5m2JdyTJ216Peg== X-Received: by 2002:a5d:548b:: with SMTP id h11mr17747591wrv.306.1605897863963; Fri, 20 Nov 2020 10:44:23 -0800 (PST) Received: from susa ([41.80.72.224]) by smtp.gmail.com with ESMTPSA id e5sm5895777wrs.84.2020.11.20.10.44.22 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 20 Nov 2020 10:44:23 -0800 (PST) From: "Bonface M. K." To: "Zhu Zihao" Subject: Re: Port forwarding for Guix containers References: <28690cfe.8dc4.175e13a4596.Coremail.all_but_last@163.com> Date: Fri, 20 Nov 2020 21:44:08 +0300 In-Reply-To: <28690cfe.8dc4.175e13a4596.Coremail.all_but_last@163.com> (Zhu Zihao's message of "Thu, 19 Nov 2020 23:58:13 +0800 (CST)") Message-ID: <86mtzb98cn.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a00:1450:4864:20::435; envelope-from=bonfacemunyoki@gmail.com; helo=mail-wr1-x435.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "help-guix@gnu.org" Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=mgHfNrW2; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: -1.31 X-TUID: mE8lkJEFUdI3 --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable "Zhu Zihao" writes: > Hi, Guix users! > > > I found guix container "created by `guix > environment --container` or `guix system > container`" is very useful to isolate some > service. But it only supports fully isolated > network namespace or just share with host, it's > not so safe IMO. > > > > In Docker, there's port forwarding, allows you to > share some ports of Guix container with host. I > just learn something about docker's network > mechanism, it looks quite complicated. It use veth > pair, network bridge and even iptables. Is there > some idiomatic way to implement such port > forwarding feature for Guix containers? > > > Any answer or suggestions are appreicated. > I don't know if this is helpful, but you could start a container with network access by passing the "-N" flag. Here's an example: =2D-8<---------------cut here---------------start------------->8--- ./pre-inst-env guix environment -N --ad-hoc wget -- wget "some-url" =2D-8<---------------cut here---------------end--------------->8--- I don't know if this is feasible, but you could try using some third party tool to limit ports from _inside_ the container... HTH! =2D-=20 Bonface M. K. Chief Emacs Bazu / Rieng ya software sare Mchochezi of: / Twitter: @BonfaceKilz GPG Key: D4F09EB110177E03C28E2FE1F5BBAE1E0392253F --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJNBAEBCAA3FiEE1PCesRAXfgPCji/h9buuHgOSJT8FAl+4DnoZHGJvbmZhY2Vt dW55b2tpQGdtYWlsLmNvbQAKCRD1u64eA5IlPyCYD/9/oVCJ0gk4wM9lhDOixFyr 6HpsOBdV98YpggKHLbd04Sdgy1QhJmvWR9Zy5Mdlrr3jxdWdTTf1Pb7i1BlyuSf+ KgcFSSYo5Uh00c2l2ifodAYnmATgURooHay6fbOTtJE9SS7lIThAtFnFp5BHmhsx 0VAE3Vtt6lqtNSViBzSOJqVU4pZ0lbOzhWDAaXHYC/6k9kBXSEbntUVFt6XmvU9W ZMAUIXbO+9ylGgb9cqxyasIt9LdHswTYainXbmTJUgNxLiUa4kC8dW04/s6hH6lp Rf1cO7WTfEusWLqFnscG6LvsG+S2V7OMvZcOW/ux6XNPh5+JqE5kEDWa4iZPBg+/ RlevvATc4LRtyCemEPa3m2J3zcg7Rhred+sxyxhUjUVMsJj5hVKLHokmoxs3s26G LXl9T0LH0lCz/kWJ2YrePF/toklPN/+/XaPiSOUovSPnqQ8Ym3yApg+GV/v1h0Zh LtPUe6pquqz1FFibYVCP/BZzEI55rVk3JFPIKpUq8NHjJmhGCASIv0eGpjIx4oiW 9Ifdimu4R2yY6UqobdB1VbAdf3SkxJs7P+8RORK/E5Z8jaDDeu0tEvL/qpzKI1uq ENemCOzCeppqDXXxJrez1MCyk+zNaAdEeocqsKjngQMkz0PjXpqttkyYx6GG97UT cqDtrhJBvg3vW6ywlT+ryw== =TY+f -----END PGP SIGNATURE----- --=-=-=--