[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Port forwarding for Guix containers
|
From: |
Edouard Klein |
|
Subject: |
Re: Port forwarding for Guix containers |
|
Date: |
Sat, 21 Nov 2020 21:20:17 +0100 |
|
User-agent: |
mu4e 1.4.4; emacs 27.1 |
zimoun writes:
> Hi,
>
> On Fri, 20 Nov 2020 at 19:26, Christopher Baines <mail@cbaines.net> wrote:
>> Zhu Zihao <all_but_last@163.com> writes:
>>
>>> I found guix container "created by `guix environment --container` or
>>> `guix system container`" is very useful to isolate some service. But
>>> it only supports fully isolated network namespace or just share with
>>> host, it's not so safe IMO.
>>
>> I'll assume that a fully isolated network namespace is safer in whatever
>> way you're referring to than a shared network namespace. However, for a
>> shared network namespace, what threats is that not safe in respect to?
>>
>> In the shared network namespace scenario, you are free to use a
>> firewall, which could help protect against threats coming from other
>> machines, for example by creating a list of IP addresses which are
>> allowed to connect, and dropping any other traffic.
>
> I do not know about the initial motivation and I do not know either if
> it makes sense in the context of “guix environment”. One point is that
> Docker [1] provides a way to specify the firewall rules. Well, somehow,
> something similar as ’--share’ but for network.
>
>
> 1: <https://docs.docker.com/config/containers/container-networking/>
>
My .02€:
I am in the camp of letting the container do the job with an operating
system declaration, and keeping guix simple. That way, one can choose
e.g. nginx to do the proxying, or an actual firewall, etc. The right
tool for the right job.
Sure it's not as easy as docker's -p option, but it's more secure and
cleaner.
> All the best,
> simon