Linux: Is there handy way to exec a program binding it to IP-address of choice

freebsdipjailslinuxlxc

In FreeBSD 4.9 it was very easy to accomplish with just a single command like

jail [-u username]  path hostname ip-number command

if path was / you had running just the same program as usual but all its network communication was restricted to use only given IP-address as the source. Sometimes it's very handy.

Now in Linux there's LXC, which does look very similar to FreeBSD's jail (or Solaris' zones) — can you think of similar way to execute a program?

Best Answer

Starting the process inside a network namespace that can only see the desired IP address can accomplish something similar. For instance, supposed I only wanted localhost available to a particular program.

First, I create the network namespace:

ip netns add limitednet

Namespaces have a loopback interface by default, so next I just need to bring it up:

sudo ip netns exec limitednet ip link set lo up

Now, I can run a program using ip netns exec limitednet and it will only be able to see the loopback interface:

sudo ip netns exec limitednet ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

If I wanted to limit it to an address other than localhost, I could add other interfaces into the namespace using:

ip link set DEVICE_NAME netns NAMESPACE

I'd have to experiment a bit more to figure out how to add a single IP address into a namespace in the case where an interface might have more than one IP address

The LWN article on namespaces is also helpful.

Related Solutions

Shell – n easy way to create a FreeBSD rc script

command should not contain multiple words. This is the cause of the [ error you see. You should set any flags separately.

Also, you should use pytivo_user to set the running uid, and not daemon -u. See the rc.subr(8) man page for all these magic variables.

Also, you should let the rc subsystem know that pytivo is a Python script so that it can find the process when it checks to see if it's running.

Finally, you should use the idiomatic set_rcvar for rcvar.

Something like this (I'm not sure this is the right Python path):

#!/bin/sh

# REQUIRE: LOGIN

. /etc/rc.subr

name=pytivo
rcvar=`set_rcvar`
command=/usr/local/pytivo/pyTivo.py
command_interpreter=/usr/local/bin/python
pytivo_user=jnet
start_cmd="/usr/sbin/daemon -u $pytivo_user $command"

load_rc_config $name
run_rc_command "$1"

Freebsd – Obtain device name and mount point if partition label is known

You can follow these steps to do it:

get devname using blkid_dev_devname(...)
get prob for this partition using blkid_new_probe_from_filename(...)
use setmntent(...), getmntent(...), & endmntent(...), where mnt->mnt_fsname equals to devname copy mnt->mnt_dir which is mount point!

See these references for further details

mntent data structure

struct mntent {    
    char *mnt_fsname;   /* name of mounted file system */    
    char *mnt_dir;      /* file system path prefix */      
    ...
};