| 1 |
Dnia 2015-01-22, o godz. 00:34:35 |
| 2 |
Luis Ressel <aranea@×××××.de> napisał(a): |
| 3 |
|
| 4 |
> On Wed, 21 Jan 2015 10:38:20 -0500 |
| 5 |
> Rich Freeman <rich0@g.o> wrote: |
| 6 |
> |
| 7 |
> > On Wed, Jan 21, 2015 at 10:00 AM, Alexis Ballier |
| 8 |
> > <aballier@g.o> wrote: |
| 9 |
> > > On Wed, 21 Jan 2015 11:05:34 +0100 |
| 10 |
> > > Michał Górny <mgorny@g.o> wrote: |
| 11 |
> > > |
| 12 |
> > >> Hello, developers. |
| 13 |
> > >> |
| 14 |
> > >> As you may recall, the main blocker for wide-establishment of |
| 15 |
> > >> FEATURES=network-sandbox prohibiting network access within the |
| 16 |
> > >> build environment is distcc. Since all connectivity is disabled, |
| 17 |
> > >> distcc can no longer reach other distcc servers and build |
| 18 |
> > >> efficiently. I therefore find it important to figure out a |
| 19 |
> > >> solution. |
| 20 |
> > >> |
| 21 |
> > >> I see two generic approaches possible here: |
| 22 |
> > >> |
| 23 |
> > >> 1. proxying distcc from within the build environment, or |
| 24 |
> > >> |
| 25 |
> > >> 2. moving distcc-spawned processes back to parent's namespace. |
| 26 |
> > > |
| 27 |
> > > |
| 28 |
> > > I haven't followed this at all, so this might be very stupid: |
| 29 |
> > > Isn't it possible to whitelist distcc hosts ? |
| 30 |
> > |
| 31 |
> > That would only work with a proxy of some kind. |
| 32 |
> > |
| 33 |
> > A process running in a separate network namespace doesn't see any |
| 34 |
> > network interfaces. It can't even get as far as iptables/etc for some |
| 35 |
> > kind of filtering. Now, you could define an interface in the new |
| 36 |
> > namespace, and then bridge that to the host network, and then apply |
| 37 |
> > iptables rules to it. |
| 38 |
> > |
| 39 |
> |
| 40 |
> Your last sentence mentions a nice possibility: |
| 41 |
> 1) Connect the sandbox network namespace to the global namespace (using |
| 42 |
> a veth pair?) |
| 43 |
> 2) Enable forwarding (if I understand it right, it's even possible to |
| 44 |
> do this for individual interfaces instead of globally, using |
| 45 |
> /proc/sys/net/ipv{4,6}/conf/veth0 ) |
| 46 |
> 3) Set up suitable rules in the netfiler FORWARD chain to ensure only |
| 47 |
> distcc gets through |
| 48 |
> 4) Set up SNAT or MASQUERADE in netfilter's nat table |
| 49 |
> 5) There you go! |
| 50 |
> |
| 51 |
> This is beautiful because is doesn't require any userland proxies, but |
| 52 |
> of course, it would be difficult to set up in an automated fashion. So |
| 53 |
|
| 54 |
Yes, and it involves changing host's configuration which I would really |
| 55 |
like to avoid. It should be something that can be done purely |
| 56 |
in network namespace of the build, and securely, and without having to |
| 57 |
parse distcc configuration, and without extra kernel features... |
| 58 |
|
| 59 |
-- |
| 60 |
Best regards, |
| 61 |
Michał Górny |
Archives