Arkose - Desktop Application Sandboxing

Comment 1 for bug 807315

St├ęphane Graber (stgraber) wrote :

Hi!

You can do that using the "filtered" networking mode implemented in version 1.2.1.
It's unfortunately not exposed in the "arkose" command line tool yet but available from the python interface and from the wrapper.

Here's an example:

stgraber@castiana:~$ sudo python
Python 2.7.2+ (default, Jun 29 2011, 07:35:20)
[GCC 4.6.1] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from arkose import ArkoseContainer
>>> container=ArkoseContainer(network="filtered")
>>> container.run_command("ifconfig")
eth0 Link encap:Ethernet HWaddr 52:3d:20:17:5b:09
          inet addr:169.254.1.2 Bcast:169.255.255.255 Mask:255.0.0.0
          inet6 addr: fe80::503d:20ff:fe17:5b09/64 Scope:Link
          UP BROADCAST MULTICAST MTU:1500 Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:90 (90.0 B) TX bytes:168 (168.0 B)

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

>>> container.cleanup()
>>>

So as you can see my container has an eth0 that uses a private link-local ipv4 address (in the 169.254.0.0/16 subnet).
The current implementation is to have a point-to-point network between each container using the filtered mode and the "host".
Each of them are private ipv4 /30 subnets. Arkose automatically configures ipv4 forwarding on your system so that the container has internet access.

As it's currently, containers can talk to each other using their private IPs as the "host" will route them.