attach chroot-jail to switchd(8) ?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

attach chroot-jail to switchd(8) ?

Thomas Huber
Hi all,

I´m just tinkering a little bit and try to mimic some "containerization" on
OpenBSD with chroot. Is it somehow possible to attach a chrooted
envirionment to swtichd(8) ?

Thanks
Thomas
Reply | Threaded
Open this post in threaded view
|

Re: attach chroot-jail to switchd(8) ?

Reyk Floeter-2
switchd is already privsep‘ed with a chroot jail.

But I don’t quite understand what you mean.

> Am 23.05.2018 um 10:35 schrieb Thomas Huber <[hidden email]>:
>
> Hi all,
>
> I´m just tinkering a little bit and try to mimic some "containerization" on
> OpenBSD with chroot. Is it somehow possible to attach a chrooted
> envirionment to swtichd(8) ?
>
> Thanks
> Thomas

Reply | Threaded
Open this post in threaded view
|

Re: attach chroot-jail to switchd(8) ?

Thomas Huber
Hi Reyk,

no it is not about chroot-ing switchd.
What i have in mind is a kind of poor-mans kubernetes or docker-swarm which
makes use of chroot(8), login.conf(5) and mount_vnd(8) to isolate, limit
and encapsulate some processes.
I´ll call this the "chroot-jail" and thought it is common wording after
reading about this topic across the internet.
Like in this (kind of outdated) tutorial:
https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot
The chroot-jail is basically a extracted base##.tgz plus dev, some users
and configs.
What I have in mind now with switchd is, to attach this chroot-jails the
same way like a virtual-machine.

But also not sure if this makes sense anyway.
It´s more I kind of learning project for myself to see how things work and
if they play nicely together.
And if this set-up works I´ld go on and use ansible to automate and to
"orchestrate" this parts.

Thomas



On 24 May 2018 at 00:35, Reyk Floeter <[hidden email]> wrote:

>
> switchd is already privsep‘ed with a chroot jail.
>
> But I don’t quite understand what you mean.
>
> > Am 23.05.2018 um 10:35 schrieb Thomas Huber <[hidden email]>:
> >
> > Hi all,
> >
> > I´m just tinkering a little bit and try to mimic some
"containerization" on
> > OpenBSD with chroot. Is it somehow possible to attach a chrooted
> > envirionment to swtichd(8) ?
> >
> > Thanks
> > Thomas
Reply | Threaded
Open this post in threaded view
|

Re: attach chroot-jail to switchd(8) ?

Ken MacKenzie
I want to ask the question of why? And why this way? I think if you want docker
like functionality, just add docker to openbsd. The best way to do so is to add
a lightweight linux into vmm and connect to that docker daemon. Alpine or
Rancher are probably the best bet for that.

I say nothing on the security of that. But at least you also get the critical
mass of pre-built images from the docker world. To me that is the real value of
docker anyway. As a containerization system I do not like it, but as a means to
make the OS less of a factor to an install, absolutely.

Just my thoughts.

On Thu, May 24, 2018 at 11:28:13AM +0200, Thomas Huber wrote:

> Hi Reyk,
>
> no it is not about chroot-ing switchd.
> What i have in mind is a kind of poor-mans kubernetes or docker-swarm which
> makes use of chroot(8), login.conf(5) and mount_vnd(8) to isolate, limit
> and encapsulate some processes.
> I´ll call this the "chroot-jail" and thought it is common wording after
> reading about this topic across the internet.
> Like in this (kind of outdated) tutorial:
> https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot
> The chroot-jail is basically a extracted base##.tgz plus dev, some users
> and configs.
> What I have in mind now with switchd is, to attach this chroot-jails the
> same way like a virtual-machine.
>
> But also not sure if this makes sense anyway.
> It´s more I kind of learning project for myself to see how things work and
> if they play nicely together.
> And if this set-up works I´ld go on and use ansible to automate and to
> "orchestrate" this parts.
>
> Thomas
>
>
>
> On 24 May 2018 at 00:35, Reyk Floeter <[hidden email]> wrote:
> >
> > switchd is already privsep‘ed with a chroot jail.
> >
> > But I don’t quite understand what you mean.
> >
> > > Am 23.05.2018 um 10:35 schrieb Thomas Huber <[hidden email]>:
> > >
> > > Hi all,
> > >
> > > I´m just tinkering a little bit and try to mimic some
> "containerization" on
> > > OpenBSD with chroot. Is it somehow possible to attach a chrooted
> > > envirionment to swtichd(8) ?
> > >
> > > Thanks
> > > Thomas

Reply | Threaded
Open this post in threaded view
|

Re: attach chroot-jail to switchd(8) ?

Thomas Huber
Hi Ken,

sure, thats the way to go for docker, kubernetes and [add buzzword here].
The _why_ is more about tinkering and getting deeper into the rabbit-hole.

Thomas


On 24 May 2018 at 12:51, Ken M <[hidden email]> wrote:
>
> I want to ask the question of why? And why this way? I think if you want
docker
> like functionality, just add docker to openbsd. The best way to do so is
to add
> a lightweight linux into vmm and connect to that docker daemon. Alpine or
> Rancher are probably the best bet for that.
>
> I say nothing on the security of that. But at least you also get the
critical
> mass of pre-built images from the docker world. To me that is the real
value of
> docker anyway. As a containerization system I do not like it, but as a
means to
> make the OS less of a factor to an install, absolutely.
>
> Just my thoughts.
>
> On Thu, May 24, 2018 at 11:28:13AM +0200, Thomas Huber wrote:
> > Hi Reyk,
> >
> > no it is not about chroot-ing switchd.
> > What i have in mind is a kind of poor-mans kubernetes or docker-swarm
which
> > makes use of chroot(8), login.conf(5) and mount_vnd(8) to isolate, limit
> > and encapsulate some processes.
> > I´ll call this the "chroot-jail" and thought it is common wording after
> > reading about this topic across the internet.
> > Like in this (kind of outdated) tutorial:
> >
https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot
> > The chroot-jail is basically a extracted base##.tgz plus dev, some users
> > and configs.
> > What I have in mind now with switchd is, to attach this chroot-jails the
> > same way like a virtual-machine.
> >
> > But also not sure if this makes sense anyway.
> > It´s more I kind of learning project for myself to see how things work
and

> > if they play nicely together.
> > And if this set-up works I´ld go on and use ansible to automate and to
> > "orchestrate" this parts.
> >
> > Thomas
> >
> >
> >
> > On 24 May 2018 at 00:35, Reyk Floeter <[hidden email]> wrote:
> > >
> > > switchd is already privsep‘ed with a chroot jail.
> > >
> > > But I don’t quite understand what you mean.
> > >
> > > > Am 23.05.2018 um 10:35 schrieb Thomas Huber <[hidden email]>:
> > > >
> > > > Hi all,
> > > >
> > > > I´m just tinkering a little bit and try to mimic some
> > "containerization" on
> > > > OpenBSD with chroot. Is it somehow possible to attach a chrooted
> > > > envirionment to swtichd(8) ?
> > > >
> > > > Thanks
> > > > Thomas
>
Reply | Threaded
Open this post in threaded view
|

Re: attach chroot-jail to switchd(8) ?

Ken MacKenzie
I can appreciate the spirit of that. Carry on good sir.

Ken

On Thu, May 24, 2018 at 01:19:07PM +0200, Thomas Huber wrote:

> Hi Ken,
>
> sure, thats the way to go for docker, kubernetes and [add buzzword here].
> The _why_ is more about tinkering and getting deeper into the rabbit-hole.
>
> Thomas
>
>
> On 24 May 2018 at 12:51, Ken M <[hidden email]> wrote:
> >
> > I want to ask the question of why? And why this way? I think if you want
> docker
> > like functionality, just add docker to openbsd. The best way to do so is
> to add
> > a lightweight linux into vmm and connect to that docker daemon. Alpine or
> > Rancher are probably the best bet for that.
> >
> > I say nothing on the security of that. But at least you also get the
> critical
> > mass of pre-built images from the docker world. To me that is the real
> value of
> > docker anyway. As a containerization system I do not like it, but as a
> means to
> > make the OS less of a factor to an install, absolutely.
> >
> > Just my thoughts.
> >
> > On Thu, May 24, 2018 at 11:28:13AM +0200, Thomas Huber wrote:
> > > Hi Reyk,
> > >
> > > no it is not about chroot-ing switchd.
> > > What i have in mind is a kind of poor-mans kubernetes or docker-swarm
> which
> > > makes use of chroot(8), login.conf(5) and mount_vnd(8) to isolate, limit
> > > and encapsulate some processes.
> > > I´ll call this the "chroot-jail" and thought it is common wording after
> > > reading about this topic across the internet.
> > > Like in this (kind of outdated) tutorial:
> > >
> https://www.ibm.com/developerworks/community/blogs/karsten/entry/openbsd_chroot
> > > The chroot-jail is basically a extracted base##.tgz plus dev, some users
> > > and configs.
> > > What I have in mind now with switchd is, to attach this chroot-jails the
> > > same way like a virtual-machine.
> > >
> > > But also not sure if this makes sense anyway.
> > > It´s more I kind of learning project for myself to see how things work
> and
> > > if they play nicely together.
> > > And if this set-up works I´ld go on and use ansible to automate and to
> > > "orchestrate" this parts.
> > >
> > > Thomas
> > >
> > >
> > >
> > > On 24 May 2018 at 00:35, Reyk Floeter <[hidden email]> wrote:
> > > >
> > > > switchd is already privsep‘ed with a chroot jail.
> > > >
> > > > But I don’t quite understand what you mean.
> > > >
> > > > > Am 23.05.2018 um 10:35 schrieb Thomas Huber <[hidden email]>:
> > > > >
> > > > > Hi all,
> > > > >
> > > > > I´m just tinkering a little bit and try to mimic some
> > > "containerization" on
> > > > > OpenBSD with chroot. Is it somehow possible to attach a chrooted
> > > > > envirionment to swtichd(8) ?
> > > > >
> > > > > Thanks
> > > > > Thomas
> >

Reply | Threaded
Open this post in threaded view
|

Re: attach chroot-jail to switchd(8) ?

trondd-2
In reply to this post by Thomas Huber
On Wed, May 23, 2018 4:35 am, Thomas Huber wrote:

> Hi all,
>
> I´m just tinkering a little bit and try to mimic some "containerization"
> on
> OpenBSD with chroot. Is it somehow possible to attach a chrooted
> envirionment to swtichd(8) ?
>
> Thanks
> Thomas
>

OpenBSD's chroot is not like a Linux contianer or FreeBSD jail.  There is
no network isolation.  Inside the chroot, you get all the same interfaces,
IP's, routes, ports as on the "host" or in another chroot.  So doing
anything with the network in the chroot is exactly as same as doing it
normally.

If you want to isolate, you probably need vether or tap or the like to
make virtual interfaces and manually tie them to whatever you have running
in the chroots and muanully set up proxies or whatever you need to make
services accessible.

Reply | Threaded
Open this post in threaded view
|

Re: attach chroot-jail to switchd(8) ?

Claudio Jeker
On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote:

> On Wed, May 23, 2018 4:35 am, Thomas Huber wrote:
> > Hi all,
> >
> > I´m just tinkering a little bit and try to mimic some "containerization"
> > on
> > OpenBSD with chroot. Is it somehow possible to attach a chrooted
> > envirionment to swtichd(8) ?
> >
> > Thanks
> > Thomas
> >
>
> OpenBSD's chroot is not like a Linux contianer or FreeBSD jail.  There is
> no network isolation.  Inside the chroot, you get all the same interfaces,
> IP's, routes, ports as on the "host" or in another chroot.  So doing
> anything with the network in the chroot is exactly as same as doing it
> normally.
>
> If you want to isolate, you probably need vether or tap or the like to
> make virtual interfaces and manually tie them to whatever you have running
> in the chroots and muanully set up proxies or whatever you need to make
> services accessible.
>

This is only partially true. If you use alternate routing tables or
rdomain, route -T <id> exec will get you network isolation. Processes can
not change the rtable unless they run as superuser. It is not perfect but
neither is the linux or freebsd solution when it comes to networking.

--
:wq Claudio

Reply | Threaded
Open this post in threaded view
|

Re: attach chroot-jail to switchd(8) ?

trondd-2
On Thu, May 24, 2018 1:28 pm, Claudio Jeker wrote:

> On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote:
>> On Wed, May 23, 2018 4:35 am, Thomas Huber wrote:
>> > Hi all,
>> >
>> > IÃ*´m just tinkering a little bit and try to mimic some
>> "containerization"
>> > on
>> > OpenBSD with chroot. Is it somehow possible to attach a chrooted
>> > envirionment to swtichd(8) ?
>> >
>> > Thanks
>> > Thomas
>> >
>>
>> OpenBSD's chroot is not like a Linux contianer or FreeBSD jail.  There
>> is
>> no network isolation.  Inside the chroot, you get all the same
>> interfaces,
>> IP's, routes, ports as on the "host" or in another chroot.  So doing
>> anything with the network in the chroot is exactly as same as doing it
>> normally.
>>
>> If you want to isolate, you probably need vether or tap or the like to
>> make virtual interfaces and manually tie them to whatever you have
>> running
>> in the chroots and muanully set up proxies or whatever you need to make
>> services accessible.
>>
>
> This is only partially true. If you use alternate routing tables or
> rdomain, route -T <id> exec will get you network isolation. Processes can
> not change the rtable unless they run as superuser. It is not perfect but
> neither is the linux or freebsd solution when it comes to networking.
>
> --
> :wq Claudio
>

Sorry, yes.  I meant to mention rdomains, which I think it a pretty cool
option worth tinkering with.

Reply | Threaded
Open this post in threaded view
|

Re: attach chroot-jail to switchd(8) ?

Thomas Huber
rdomain is interessting, wasn´t aware of that.
thanks for this input Claudio.

On 24 May 2018 at 19:58, trondd <[hidden email]> wrote:

> On Thu, May 24, 2018 1:28 pm, Claudio Jeker wrote:
> > On Thu, May 24, 2018 at 09:22:32AM -0400, trondd wrote:
> >> On Wed, May 23, 2018 4:35 am, Thomas Huber wrote:
> >> > Hi all,
> >> >
> >> > IÃ*´m just tinkering a little bit and try to mimic some
> >> "containerization"
> >> > on
> >> > OpenBSD with chroot. Is it somehow possible to attach a chrooted
> >> > envirionment to swtichd(8) ?
> >> >
> >> > Thanks
> >> > Thomas
> >> >
> >>
> >> OpenBSD's chroot is not like a Linux contianer or FreeBSD jail.  There
> >> is
> >> no network isolation.  Inside the chroot, you get all the same
> >> interfaces,
> >> IP's, routes, ports as on the "host" or in another chroot.  So doing
> >> anything with the network in the chroot is exactly as same as doing it
> >> normally.
> >>
> >> If you want to isolate, you probably need vether or tap or the like to
> >> make virtual interfaces and manually tie them to whatever you have
> >> running
> >> in the chroots and muanully set up proxies or whatever you need to make
> >> services accessible.
> >>
> >
> > This is only partially true. If you use alternate routing tables or
> > rdomain, route -T <id> exec will get you network isolation. Processes can
> > not change the rtable unless they run as superuser. It is not perfect but
> > neither is the linux or freebsd solution when it comes to networking.
> >
> > --
> > :wq Claudio
> >
>
> Sorry, yes.  I meant to mention rdomains, which I think it a pretty cool
> option worth tinkering with.
>
>


--
+49.179.1448024
Karl-Kunger-Straße 68
D - 12435 Berlin