I understand Oniux separates out everything. Are there any options to allow the bypass for a localhost service?
You can access some local services (over TCP or UDP) with the help of slirp4netns.
Example
Terminal 1: start oniux and print the inode number of the new network namespace
(host)$ ./oniux sh
(namespace)$ ls -l /proc/self/ns/net
… /proc/self/ns/net -> net:[4000000001]
Terminal 2: find the related PID of this network namespace
(host)$ lsns --type net|grep 4000000001
4000000001 net 2 3000 haha unassigned ./oniux sh
Terminal 2: create a TAP device in this network namespace
(host)$ nsenter --preserve-credentials --keep-caps --target 3000 --user --net
(namespace)$ ip tuntap add mode tap name tap0
(namespace)$ ip addr add 10.0.2.100/24 dev tap0
(namespace)$ ip addr add fd00::100/64 dev tap0
(namespace)$ ip link set tap0 up
(namespace)$ ip route add 10.0.2.0/24 dev tap0 via 10.0.2.2
(namespace)$ ip route add fd00::/64 dev tap0 via fd00::2
(namespace)$ exit
Terminal 2: start slirp4netns
(host)$ slirp4netns --enable-ipv6 3000 tap0
Terminal 1: try accessing some local services
(namespace)$ nc 10.0.2.2 65535
# 127.0.0.1:65535
(namespace)$ nc -u fd00::2 65535
# [::1]:65535
Thank you for the information. I haven’t had a chance to try it yet, but as soon as I do, I’ll come back and update this again.
OK, finally getting around to trying this. Everything went good until I tried to run the command with the --keep-caps. Evidently Debian’s version (I’m on the latest release with all updates) of nsenter doesn’t support --keep-caps yet so I’ll have to find a way to workaround that.
I tried the nsenter command without --keep-caps and it returned to the prompt but when I tried ip tuntap… it said ioctl(TUNSETIFF): Operation not permitted.
I’m running Oniux as a user, not root, and these commands as that same user. Do I need to sudo these commands first?
You don’t need to run nsenter as the root user, but without --keep-caps, you may not retain CAP_NET_ADMIN capability in the user namespace created by oniux.
Note: according to the rules above, if a process with nonzero user IDs performs an execve(2) then any capabilities that are present in its permitted and effective sets will be cleared.
LuckyURE :
Evidently Debian’s version (I’m on the latest release with all updates) of nsenter doesn’t support --keep-caps
nsenter does have --keep-caps flag since v2.40-rc1
https://www.kernel.org/pub/linux/utils/util-linux/v2.40/v2.40-rc1-ChangeLog
https://packages.debian.org/search?keywords=util-linux&searchon=names&suite=all§ion=all
Update: Was having a terrible time trying to get that to work for some reason. So, I thought.. why not just run both my services in the same namespace. So I wrote a script to use Oniux for both services in the same namespace and that helped. I was also playing with Torify and Torsocks as well, but in the long run I think Oniux will eventually be a much better choice.
I’m at the point where no matter which option I do there is something wrong where my second app won’t talk to the first one if they are both running through any type of TOR process. If I use CURL and even with torify it works fine against my API.
So I’m not sure what’s up with my application not working properly when its run through TOR. Almost like the JSON calls are being mutilated as it works fine without tor.
So, I thought.. why not just run both my services in the same namespace. So I wrote a script to use Oniux for both services in the same namespace and that helped.
Every time oniux starts, 4 new namespaces (user, mount, PID and network) are created, you may want to use nsenter command to run more services in previous namespaces.