On Thu, 19 Dec 2013, Tim Watts wrote: > With respect to the suggestion of "proxy all network connections to the > server" - I'm not sure if I fully understand this. > > Not having actually worked with containers is probably limiting my > understanding, so I must apologise if the following seems stupid... > > > If it makes the container behave like it's on a VPN where *all* traffic > is routed to the server, then this may not actually match my particular > usage - and quite possible other folk.
Yes. Network containers on Linux are basically an extension of chroot - instead of having / be a different filesystem, you have sockets in a different network namespace. > An example: > > This is my work ssh tunnel > > ssh -X -L10023:guardian:22 -L10001:vmcentre1:3389 -L10002:vcenter:3389 > -L10003:vclient1:3389 -L10010:vmbackup:3389 -L10011:vmmon:3389 > -L15432:db-admin:5432 -D10000 [email protected] > > There, I have several MS RemoteDesktop tunnels (the 3389 ports), a > postgresql tunnel, one ssh tunnel to a firewalled machine and of course > X-forwarding. > > There's also a general SOCKS5 proxy which I use in conjunction with a > selective proxy switcher in Chrome and Firefox (FoxyProxy and similar) > to access certain firewalled webservers. > > What I'm trying to work out is how straightforward it would be to have > some programs running inside the tunnelled container (MySql Workbench, > PgAdmin, redesktop) whilst keeping most of my session outside of the > container - reason being I don't actually want *all* my traffic routed > via the server. If I did, I'd use work's VPN, but selective control with > SSH tunnels seems to fit better. It's just like chroot, so you could run pgadmin/mysqlworkbench/etc. inside the container by running them from a shell inside the container. This is harder with web browsers, since they like to have a single set of processes per user. > > > So I guess I'd have to ask: How hard would it be to actually have two > utilities: > > 1) One to offer a network proxied container - which does sound interesting; > > 2) Another which offered the more traditional "whole namespace > visibility" of 'ssh -L' and hopefully could be easily ported to other OSes? > > Do you think it may be possible to share a common "slosh" transport > protocol and a common library to handle both utilities, at least at the > lower levels? I haven't spoken to Keith about these ideas, but yes, I would hope that slosh would support both modes of operation - and the latter would probably be much more portable to other operating systems. Hopefully there will also be a way to launch slosh and mosh together (maybe even sharing the same UDP port?) so the ssh-like usecase can be supported. --Quentin > > > Just some random thoughts - > > Kind regards, > > Tim > > -- > Tim Watts Tel (VOIP): +44 (0)1580 848360 > Systems Manager Digital Humanities, King's College London > > Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/ > Personal Blog: http://squiddy.blog.dionic.net/ > > http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage > _______________________________________________ > mosh-devel mailing list > [email protected] > http://mailman.mit.edu/mailman/listinfo/mosh-devel > _______________________________________________ mosh-devel mailing list [email protected] http://mailman.mit.edu/mailman/listinfo/mosh-devel
