
Kernel network namespaces explained - eloycoto
http://blogs.igalia.com/dpino/2016/04/10/network-namespaces/
======
dingaling
Network namespaces are excellent for containing promiscuous services such as
NFS that bind to all interfaces by default.

Stick them in a netns with only a site-local address and that attack surface
reduces massively. Much easier and more performant than trying to close the
open doors with iptables.

~~~
code_research
do you have an ansible playbook for doing that at hand?

~~~
feld
I know I'm going to get backlash for this, but whatever

<rant>

The article and the docs make it pretty clear that this can be accomplished
with a couple shell commands. I don't understand why everyone begs for
handouts these days. We now have an entire generation of "sysadmins" who
refuse the read documentation and can't produce original work. This is not
complicated. You do not need a Master's to figure this out.

</rant>

That said, I'm quite certain that Ansible does not support IP namespaces
natively, so you'll have to manage this with custom "command:" statements.
This means these will fire every time you run the Ansible playbook and they
will be listed as an item that changed because Ansible does not internally
know how to validate whether or not it needs to take action.

tl;dr read the docs, write a shell script, and/or figure out the most sane way
to do this with ansible/salt/puppet/chef/cfengine/whatever because it's 2016
and I'm tired of people begging for someone else to do their work for them.

~~~
SEJeff
Aka get off my lawn or:
[http://i.imgur.com/91sn32Q.jpg](http://i.imgur.com/91sn32Q.jpg)

------
squeed
There is an excellent tutorial from LWN about network namespaces also:
[https://lwn.net/Articles/580893/](https://lwn.net/Articles/580893/) -

SubgraphOS uses network namespaces to isolate individual processes (and route
all connections over Tor). As a proof-of-concept, I wrote a small binary that
wraps arbitrary binaries in customized namespaces and forwards all traffic
over tor instead of masquerading:
[https://github.com/squeed/torbox](https://github.com/squeed/torbox)

Right now, the torsocks command captures all network syscalls via a LD_PRELOAD
shim. My goal was to avoid that sort of hackery.

------
nhaehnle
Nice explanation - I just wish that people started to include IPv6 setup by
default in their examples.

~~~
code_research
IPv6 is a new thing, isn't it?

~~~
DanielDent
RFC1883 IPv6 was written in 1995.

I have services where >30% of my users access the service over IPv6.

------
feiss
Interesting topic very well explained

