Closed kris7t closed 4 years ago
This is a bug, thanks. It works fine for ISC DHCP client (isc-dhcp-client package on debian). You do need to start the sandbox as root in order to run the client. You would start the client as "dhclient -v eth0".
I get the same message even if I mount tmpfs to /var/lib/dhcp
/var/lib/dhcp is used by isc-dhcp-client. Apparently dhcpcd uses /var/lib/dhclient, try a --tmpfs=/var/lib/dhclient. For /var/lib/dhcp we mount by default a tmpfs on top of it. I'll try to bring in a fix.
Thanks!
(Sorry if this derails a bit, or I maybe should open a new issue, but: ) Is there any chance I could do DHCP without running the container as root? I guess the main difficulty is that the client has to run while the sandbox is active (I can't just acquire an IP calling a DHCP client once in sandbox_if_up
, because the lease may run out).
OK, seems to be a dhcpcd problem with the way they detect the ethernet interfaces, but idc-dhcp-client works fine.
Is there any chance I could do DHCP without running the container as root?
No, you need to be root to run a DHCP client. I'll add support for dhcp client support directly in the sandbox. At startup, the sandbox is root, so it should be able to run a client this way. I'll mark it as an enhancement for now.
Thanks for the pointers! I was playing around a bit with this:
$ sudo firejail --net=virbr0 --ip=none --noprofile --dns=fd00::1:8:1 --dns=192.168.122.1 --shell=/usr/bin/bash
Parent pid 38815, child pid 38816
The new log directory is /proc/38816/root/var/log
Warning: cannot configure default route
Interface MAC IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
Default gateway configuration failed
DNS server fd00::1:8:1
DNS server 192.168.122.1
Child process initialized in 533.89 ms
[root@KRiS-Blushweaver kris]# dhclient -4 -sf /usr/local/bin/dhclient-script-firejail eth0
[root@KRiS-Blushweaver kris]# dhclient -6 -sf /usr/local/bin/dhclient-script-firejail eth0
[root@KRiS-Blushweaver kris]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0e:8c:80:1e:fa:ba brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.122.174/24 brd 192.168.122.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fd00::1:8:fff7/128 scope global dynamic
valid_lft 3597sec preferred_lft 3597sec
inet6 fe80::c8c:80ff:fe1e:faba/64 scope link
valid_lft forever preferred_lft forever
[root@KRiS-Blushweaver kris]# killall dhclient
[root@KRiS-Blushweaver kris]# exit
exit
Parent is shutting down, bye...
Looks like dhclient
on its own won't work with a read-only /etc
, because it tries to create a new resolv.conf
. As a workaround, dhclient-script
can be modified to skip hostname and DNS resolver setting, and we can rely on the DNS servers passed to firejail
on the command line. Furthermore, the dhclient
processes must be killed before the sandbox can cleanly shut down.
I still have some wonkyness regarding IPv6 forwarding, but I suspect that's because I am doing a very evil thing (stateful NAT66).
I am using the network isolation feature of firejail with a network bridge managed by libvirt (
virbr0
), so I can set up networking for sandboxes similarly to virtual machines. While firejail can auto-assign an IPv4 address by ARP scanning for a free address, there is no such feature for IPv6. Moreover, I would like to avoid clashes between sandboxed and (powered-off) virtual machines, so I would like to let the DHCP server (dnsmasq) managed by libvirt to handle address allocation of my sandboxes. (While I could assign an address manually to each and every sandbox, that would be much more error prone. I prefer to do manual assignments in one place in the libvirt config by MAC address.)I set up DHCP for IPv4 (from a /24 block) and stateful DHCP6 for IPv6 (from a /112 prefix) in libvirt. I was experimenting with running
dhcpcd
in a--noprofile
sandbox (in a real setup, ansbox_run
call during sandbox initialization would probably replacesudo
and--noprofile
, but I didn't get that far) as follows:I get the same message even if I mount
tmpfs
to/var/lib/dhcp
, or when I run thefirejail
command as root.If there a way to auto-configure networking inside the sandbox by DHCP? Are there any security implications I should be aware of?