[COFF] A little networking tool to reduce having to run emulators with privilege

[Steffen Nurpmeso]

Hello.

Sorry for the late reply, very last summer day with cold and rainy
days to come, and then i really turned on the TV on a non-Sunday
for the first time for long, to watch the German film
"Gundermann", which i had on my list ever since i have heard from
it.

This thread also gives me the feeling of being twisted and
wrapped, .. but you know, feelings, pah.

Grant Taylor wrote in
 <b94c3a89-b6ca-b7d4-dd24-ddf7c00283c9 at spamtrap.tnetconsulting.net>:
 |On 9/22/20 3:53 PM, Steffen Nurpmeso wrote:
 ...
 |> Ha.  That could very well be because i was desperately trying to 
 |> create a bridge all the time, but it just was not working at all. 
 ...
 |Were you trying to bridge things to a wireless NIC?
 |
 |> You know, to me this is just a programmatic problem, i just do 
 |> not understand.  Why does it matter whether you have eth0 or wlp1s0?
 |
 |IMHO the name of the device doesn't matter.
 |
 |But the name does imply what type of device it is.  eth0 is almost 
 |always wired (but there is no guarantee).  After looking it up, wlp1s0 
 |seems to imply Wi-Fi.
 |
 |Wi-Fi tends to imply other problems specific to Wi-Fi.
 ...
 |> why can i create a bridge on one but not the other?
 |
 |Because some Wi-Fi cards have problems related to multiple MAC 
 |addresses.  Problems like they simply refuse to allow them.
 |
 |So the problem that it sounds like you're running into is that the Wi-Fi 
 |is refusing to do anything useful with the Ethernet frames that are 
 |being bridged to it.
 |
 |Aside:  EBTables may be able to help resolve this problem.  But that's 
 |another kettle of fish.

This i have never used, i do not have it installed.
But you mention it -- what i did not understand is why it is not
"simply" made a policy that when you want to create a software
bridge device, you can create it.  In the end i expect the problem
to manifest in only a few bytes of data?

 |> That does not make sense.
 |
 |Once you understand some of Wi-Fi's inherent limitations, it should also 
 |make sense to you.

Well i never had doubts there are some technical reasons, i just
did not know them, and there were no nice error messages nor
documentation of the problem.  But given that it _does_ work for
some drivers i was also sure that the actual problem is more of
a notational sort, so to say, and then i did not understand why
the creation of a software bridge does not take appropriate steps
to make this happen.

 |> Just do it?
 |
 |It (Wi-Fi) probably can't or won't do anything useful with an Ethernet 
 |frame that has a different source MAC address.
 |
 |Ergo, bridging with Wi-Fi typically is problematic or simply doesn't 
 |work.  It's a limitation of Wi-Fi, not bridging technology.

I could say "heck, but if ..

 |> It works when i inject a VETH pair[.]

then it can be done".

 |> It works when i inject a VETH pair, so may it be like this.

But i do not.

  ..
 |> I do not use a bridge on the host.  This i cannot do.
 |
 |I trust that you believe what you are saying.  I question the deep 
 |technical merits of it.  Including using things like EBTables to NAT* 
 |the source MAC address to that of thee Wi-Fi card.
 |
 |*NAT typically applies to layer 3 IP addresses.  But the same concept is 
 |being done to layer 3 Ethernet addresses.

Well if i had the time and motivation i surely could dive into
kernel sources and look around, and maybe even get it (done).
But i have so much to do with what other people would call
livestock but i call friends, for example, so it seems i am too
old and hackneyed to get that job done.

  ...
 |I get the lack of motivation for DHCP inside of network namespaces.

yeah.

 |Especially when the IP address(es) used in the network namespace can be 
 |derived from the name of the network namespace.

Yes, this is all ssh/scp communication, and that the script
handles SSH came with that veth/bridge rewrite, before everything
simply had to be typed.  And so i need a name or a fixed IP in
.ssh/known_hosts.  Here i have both now, without much straining.

  ...
 |>    #?0|kent:src$ pla|grep dhcpc
 |>    dhcpcd     509     1 S     0.0  1748 dhcpcd /sbin/dhcpcd -h kent \

[5x]..

 |Why do you have as many things running dhcpcd against the same interface?

It has to be said that Linux should really offer some kind of
setproctitle(2), more and more BSD programs use it to give sense
to ps(1) output of privilege-separated programs, and the
compatibility code using PR_SET_MM_MAP of prctl(2) after reading
and parsing /proc/self/stat is, well, immense effort.

  ...
 |> It is terrible.  Nothing HOWTO like, not "help the people to help 
 |> themselves", but everybody who understood a topic by himself is quick 
 |> in fooling others.  This makes the FreeBSD handbook and the BSDs and 
 |> their manual portfolio in general outstanding.
 |
 |Ya.  I think that a lot of documentation for things that are post TLDP's 
 |heyday are lacking considerably.
 |
 |I've had to dig through a lot of texts, scripts, watch a lot of videos, 
 |read man pages, and do lots of experimentation with network namespaces 
 |to get to where I am now.  I'm always happy to share what I know.

 ...
 |So it /really/ looks to me like you /do/ have a bridge /inside/ of the 
 |network namespace and that you /are/ using it as part of your 
 |communications path.

  ...
 |> There is only one network namespace here.  One for all VMs.
 |
 |Ah.  I had thought there were multiple network namespaces.  One per VM / 
 |emulator.

No.  No, that is really overkill, i am not a student with bad body
hygiene having fun with software or something.  It is annoying
enough that you ever and always again settle on a "that is a good
status quo" just to find out the next day that doing it all anew
would possibly improve the situation.  No.

 |> You cannot create bridge devices on wireless interfaces, unless you 
 |> have a driver which does support that, or, i guess, you create your 
 |> own host access point, i dimly recall this could be a solution too.
 |
 |I don't know if the driver that balks at multiple MACs will support 
 |being an access point.

That HostAP software or how it is named, doesn't it deal with this
the right way?  I seem to have read this is possible.
Never tried this.

 |Though I do wonder if it would be possible to leverage EBTables to play 
 |with MAC addresses to sooth the Wi-Fi NIC's heartburn at multiple MACs. 
 |}:-)

Imho "bridge" should do this by itself automatically.

  ...
 |> Yes.  That [cgroups] i have to do some time.
 |
 |I'll look into cgroups some day.  I've not had a need to do so yet.

Well you could look into software like "containers", you could
read

  If cgroup support, the memory controller and the pids controller
  are compiled into the kernel, a mounted cgroup2 filesystem can
  be used to apply memory and process-count limits to a container
  as it is started. For example, the shell script

    #!/bin/sh -e
    echo +memory +pids >/sys/fs/cgroup/cgroup.subtree_control
    mkdir /sys/fs/cgroup/mycontainer
    echo $$ >/sys/fs/cgroup/mycontainer/tasks
    echo 2G >/sys/fs/cgroup/mycontainer/memory.high
    echo 3G >/sys/fs/cgroup/mycontainer/memory.max
    echo 2G >/sys/fs/cgroup/mycontainer/memory.swap.max
    echo 256 >sys/fs/cgroup/mycontainer/pids.max
    exec contain [...]

  ...
  See linux/kernel/Documentation/cgroup-v2.txt for detailed info
  on the available controllers and configuration parameters.

But most of it can be done with unshare and nsenter.
For example the super minimal ulinux project (a bit stale) has
a box script which does, among other things

  # shellcheck disable=SC2086
  unshare \
    --ipc \
    --uts \
    --pid \
    --user \
    --fork \
    --mount \
    --mount-proc \
    --map-root-user \
    /usr/sbin/chroot "$tmpc/root" \
      /usr/bin/env -i $BOX_ENV /bin/sh -c "source /init; $*"

It could do nice things like

  setup_tmpc() {
    mkdir -p "$tmpc/root" "$tmpc/storage" "$tmpc/work"
    mount -t overlay \
      -o upperdir="$tmpc/storage,lowerdir=/,workdir=$tmpc/work" \
      overlayfs "$tmpc/root"

I am really interested, but am too lazy to convert the scripts so
that this "distribution" (almost kernel-only) can be build without
docker etc.

 |> Unfortunately true.  The complexity of cgroups and the Linux kernel 
 |> as such is however very, very much intensed compared to a FreeBSD 
 |> jail.  At least once jails appeared it often was nothing more than a 
 |> "if(process->jailed)" at the beginning of some kernel functions.
 |
 |*nod*
 |
 |I think that Linux still has some things to learn from BSD jails and 
 |Solaris zones.

I personally am always astonished when i have contact with Plan9.
I cannot really use it, i am too used to BSD/Linux, and some
things drive me insane (network configuration etc. is so
spreaded).  But i am subscribed to the MLs ever since i have been
pointed to Plan9 and always wonder when problem solutions happen
to happen, how it is done.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)