search

rootless-containers / slirp4netns

User-mode networking for unprivileged network namespaces
GNU General Public License v2.0
737 stars 82 forks source link

Interaction with bwrap --dev #311

Open aerusso opened 1 year ago

aerusso commented 1 year ago

First of all, I'm sorry if this is the wrong place for this question. I'm running slirp4netns 1.2 on Debian unstable

$ slirp4netns -v
slirp4netns version 1.2.0
commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
libslirp: 4.7.0
SLIRP_CONFIG_VERSION_MAX: 4
libseccomp: 2.5.4

I'm trying to use slip4netns with bwrap . This works fine: just replace unshare --net with bwrap --unshare-net in the tutorial. However, I want to also use bwrap --dev /dev. This breaks with the error:

% slirp4netns --configure --mtu=35520 --disable-host-loopback $PID tap0
setns(CLONE_NEWNET): Operation not permitted
child failed(1)

What makes this weirder is that I didn't even use bwrap --dev /dev. I used bwrap --unshare-net --dev /tmp/anotherpath, (though it also breaks if you do --dev /dev).

Am I doing something wrong? Before I go dive into the bubblewrap source, does anyone have any ideas how I can use slirp4netns with bubblewrap and a private devtmpfs?

igo95862 commented 1 year ago

This is because when --dev is used there will an extra unbounded user namespace.

https://github.com/util-linux/util-linux/issues/1592#issuecomment-1279939987

You need to first switch to that user namespace before launching the slirp4netns using NS_GET_PARENT ioctl. This is what my sandbox project does.

https://github.com/igo95862/bubblejail/blob/99b3c72f71b34dbb80dfc9ecdd5882944c733c9c/src/bubblejail/services.py#L831