From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 6L9VOcqKuV+KNwAA0tVLHw (envelope-from ) for ; Sat, 21 Nov 2020 21:46:50 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id IOULNcqKuV+OPQAA1q6Kng (envelope-from ) for ; Sat, 21 Nov 2020 21:46:50 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 05D91940484 for ; Sat, 21 Nov 2020 21:46:49 +0000 (UTC) Received: from localhost ([::1]:36736 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kgaiV-0005iw-EV for larch@yhetil.org; Sat, 21 Nov 2020 16:46:47 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:55696) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kgai1-0005h4-N8 for help-guix@gnu.org; Sat, 21 Nov 2020 16:46:17 -0500 Received: from mail-ej1-x635.google.com ([2a00:1450:4864:20::635]:44023) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kgahx-0005m7-7j for help-guix@gnu.org; Sat, 21 Nov 2020 16:46:17 -0500 Received: by mail-ej1-x635.google.com with SMTP id k27so17896450ejs.10 for ; Sat, 21 Nov 2020 13:46:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BNQmAg04167cueVKZisLugQmEF0U/4VDr5VBgI7T628=; b=DUviWTu8awHmDgvOc1G/kpqrkuklCwayMZUQ/b3o0nLoIjCsJePgqbkI9TroMmhZLG VX4XratX82lyua1BW3gQrOj9u9MvPEeVA8RljXRXRsh2KXlr6u2Bf6gFInQQqOk+MkZw B5BlBMJGp1LfRIbTCA9zreaSoHMM88DpDeIDbIAbeSUMlvG3rFn+acy8eWkCpncMlprf hUk2PJOA+NNqjKKTmYiCaD/VIQmE6sAo9Ntg74RZxt8f4HgyJ2BvALmz8xrO5CHaBJUK tfPUPw2EcQFjBAJ1TL2cE7cRqQ7vi+Erkv1v+JYVKwHQs3NaP3tUxHhu+Duw0cA9IWS9 RJnw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BNQmAg04167cueVKZisLugQmEF0U/4VDr5VBgI7T628=; b=toU+lxhe0m0Kc3BPtIm+TUH4Giv1vflQcAGB6vMXi9BdyfKOn2QKAFgmLLrZIG3LSt CTfV8HDD5ChRb53P212bIVNagUdS3PFeOeaR7VimokhjQbywpd+VG8t8biowuL/bdwRQ EO/xg97kOSrF9a1/H2NgTzLCrcK4h7JsUQIK330hnr8ctAJ3CLYGdj9mltWFAbpO6oXG qvbm4vlmLq9ESB1404M/UmxSezpnqeERp9NEaAAhj8eZAh8OBfqOJ12yIi93oRGzzK+p zcQEtjjJRNlr2sP3KiV0y0hcL+2CgJ14x16jDY/7mr2defTscPx4yM1xRkyl8Y+YEZI6 lTMg== X-Gm-Message-State: AOAM531kE8HT/q99pF+Yt5vB9pYT+WgcGu0R7sNqTuZO+bIIh+IiEb0j 9/8axU67s6vAx9mULHE80ooymakQ74Sh6QIeiZA= X-Google-Smtp-Source: ABdhPJyg/kirJUSXFnpWf+tQqL5Z3AU/43hYCiM2UvgxCGg+54+SdCz05rxqrq16AyoHwsDuHBm9LBbwz9ly9Kb0mCE= X-Received: by 2002:a17:906:179a:: with SMTP id t26mr11366034eje.49.1605995171086; Sat, 21 Nov 2020 13:46:11 -0800 (PST) MIME-Version: 1.0 References: <28690cfe.8dc4.175e13a4596.Coremail.all_but_last@163.com> <871rgnltiv.fsf@cbaines.net> <86r1omkbgk.fsf@gmail.com> In-Reply-To: <86r1omkbgk.fsf@gmail.com> From: Jason Conroy Date: Sat, 21 Nov 2020 16:45:34 -0500 Message-ID: Subject: Re: Port forwarding for Guix containers To: zimoun Received-SPF: pass client-ip=2a00:1450:4864:20::635; envelope-from=conjaroy@gmail.com; helo=mail-ej1-x635.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org, Zhu Zihao Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (body hash did not verify) header.d=gmail.com header.s=20161025 header.b=DUviWTu8; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: 0.09 X-TUID: OEs8nWgkVt3R I agree with Zihao that containers have certain use cases where it's important to use separate network namespaces for each instance, with traffic forwarded selectively between host and guest. Security (and hence firewalling) is part of the issue, but it's also about the container's maintainability and reproducibility. Supposing that we've developed some system container that starts a service on port N. If we want to run another instance of the same container, we first need to override the port number for the service in our operating-system, otherwise the service in the second container will fail to bind to port N in the shared network namespace. With a couple of one-service containers this may not be so hard, but system containers in general could have lots of services, and the authors of individual containers may not want to worry about choosing port numbers that are mutually disjoint from those in all other containers (and those used by the container host itself). Aside from the risk that one container's port bindings will prevent another container from working, there's also the risk of unintended dependencies: we might start a container thinking that it's self-contained, when really it depends on a service belonging to the container's host or to another container. This is why I consider the shared namespace a reproducibility problem. Lately I've been experimenting with a modified version of this script to set up a network namespace with its own interface and routes, and then run a guix system container inside. Because the container is built with the -N flag, its services will bind to the virtual interface inside the network namespace. Processes inside the container can access the internet, while processes on the host (but outside the container) can access the container services via the IP address bound to the container's interface. Next, to make the container's services accessible to other hosts, there are a couple of options. One is to enable port forwarding from the host's external interface to the container's IP address using iptables . If the container is hosting a web service, another choice (as Edouard mentions) is for the host to run some sort of reverse proxy that forwards incoming requests to the container's port. For example, nginx and Apache can both do this. It would be really nice if guix system containers had this namespacing ability built in, but it sounds complex. On Sat, Nov 21, 2020 at 10:03 AM zimoun wrote: > Hi, > > On Fri, 20 Nov 2020 at 19:26, Christopher Baines wrote= : > > Zhu Zihao writes: > > > >> I found guix container "created by `guix environment --container` or > >> `guix system container`" is very useful to isolate some service. But > >> it only supports fully isolated network namespace or just share with > >> host, it's not so safe IMO. > > > > I'll assume that a fully isolated network namespace is safer in whateve= r > > way you're referring to than a shared network namespace. However, for a > > shared network namespace, what threats is that not safe in respect to? > > > > In the shared network namespace scenario, you are free to use a > > firewall, which could help protect against threats coming from other > > machines, for example by creating a list of IP addresses which are > > allowed to connect, and dropping any other traffic. > > I do not know about the initial motivation and I do not know either if > it makes sense in the context of =E2=80=9Cguix environment=E2=80=9D. One= point is that > Docker [1] provides a way to specify the firewall rules. Well, somehow, > something similar as =E2=80=99--share=E2=80=99 but for network. > > > 1: > > All the best, > simon > >