Home / server / Questions / 390565
Accepted
Vi.
Asked: 2012-05-19 06:56:18 +0800 CST

How to start external programs in "unshare" container, with sending of file descriptors?

  • 772

With unshare or lxc-execute I can create environments with separate network/mount/whatever namespaces. But starting programs there from outside is not really straightforward. Usually network and sshd is used, I also use UNIX socket with socat executing shell to start new processes on it.

Is there already a program that allows to starting applications inside unshares easily? Client program is expected to connect to UNIX socket and send (SCM_RIGHTS) stdin/stdout/stderr to server. Server is expected to be started inside unshare and receive argv, environment and fds and start them.

Something like that:

# unshare -nm /usr/local/bin/dived /var/run/myunshare.socket
# # (Non-abstract unix sockets are preserved across "unshare -m")
# dive /var/run/myunshare.socket ping 8.8.8.8
connect: Network is unreachable
linux lxc

1 Answers

  1. Best Answer

    Created program to do this myself:

    https://github.com/vi/dive

    Example:

    # umask 0000
# # Create no-network namespace
# unshare -n -- dived /var/run/no_network.socket -d

$ dive /var/run/no_network.socket bash
$ # Now inside unshare. Shell should work well, can start X apps, etc.
$ ping 127.0.0.1
connect: Network is unreachable
$ # actually no network
$ id
$ uid=1000(vi) gid=1000(vi) groups=1000(vi),20(dialout),21(fax),...
$ # dived set up groups for us
$ exit
exit
$ # "undove"

# killall dived
    • 0