I think I got it. Basically what I did was to setup a veth to link the namespace and the host networking then setup IPs and some iptables rules to give it Internet access. Unfortunately that weird bug keeps happening but now I know how to do this kind of isolation. Maybe I should bond the ethernet and the WiFi interfaces so the namespace would get Internet either with WiFi or cable but that's future work. If I start the unit [0], it sets up all the required things and the namespace is ready, if I stop the unit then the namespace, iptables rules, the veth and so on are destroyed. Idempotent, I like it. To use it in another unit I just add it to the dependencies [1] and set up to use that namespace [2] with PrivateNetwork [3] enabled. [0] https://github.com/lucasew/nixcfg/blob/a3e520b54fbe4be59f9b4337c917c8c69e442dc9/nodes/bootstrap/netns.nix#L11 [1] https://github.com/lucasew/nixcfg/blob/fcb01c538d2ef19396d3799e82ca9cb585b71591/nodes/common/dhtcrawler.nix#L75 [2] https://github.com/lucasew/nixcfg/blob/fcb01c538d2ef19396d3799e82ca9cb585b71591/nodes/common/dhtcrawler.nix#L84 [3] https://github.com/lucasew/nixcfg/blob/fcb01c538d2ef19396d3799e82ca9cb585b71591/nodes/common/dhtcrawler.nix#L97 Em ter., 17 de jan. de 2023 às 17:03, Lucas Eduardo <lucas59356@xxxxxxxxx> escreveu: > > I am working on a service unit for a DHT crawler. > > For some reason, it doesn't work well with the default network settings > because it seems to use a huge amount of traffic for a very small > amount of findings. > > The same program works fine via docker, but I want to package it as a > hardened systemd unit. > > A difference between the network layout in Docker and the host is that > Docker only exposes the "lo" interface and an upstream one, and the host > exposes everything and I think it's causing some kind of conflict. > > How can I implement this Docker behaviour in systemd? > > I tried using PrivateNetwork but it kills any Internet access because > only localhost is available. > > Is there any not so well known feature to implement this? > > I am running systemd 251.7 on NixOS. I already have experience > converting systemd stuff to the way the NixOS module system understands. > > Thanks in advance
Re: [Question] How to make services only see only one external network interface and loopback
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [Question] How to make services only see only one external network interface and loopback
- From: Lucas Eduardo <lucas59356@xxxxxxxxx>
- Date: Sat, 21 Jan 2023 10:26:22 -0300
- In-reply-to: <CAC_ByvMb3AhnPETbEFLGohv6qPLQz=rK6T-1KD0+OV-uVumbBw@mail.gmail.com>
- References: <CAC_ByvMb3AhnPETbEFLGohv6qPLQz=rK6T-1KD0+OV-uVumbBw@mail.gmail.com>
- References:
- Prev by Date: Re: mkosi Unable to locate embedded .linux section: Load Error
- Next by Date: Re: mkosi Unable to locate embedded .linux section: Load Error
- Previous by thread: Re: [Question] How to make services only see only one external network interface and loopback
- Next by thread: mkosi Unable to locate embedded .linux section: Load Error
- Index(es):
 |