Hi @oogra,
Thanks for responding.
Sounds like there’s isolation through linux namespaces for individual snaps? Do you know if that includes an isolated network namespace per snap?
The wiki section on network namespaces sums up the interfaces/resources I’m looking to create/isolate. Ideally, defined in the build process of core and created by systemd (or other init sys).
Network namespace
Each namespace will have a private set of IP addresses, its own routing table, socket listing, connection tracking table, firewall, and other network-related resources.
My first thought was to overlay the /etc network configs used by netplan/systemd/NetworkManager onto core as a precursor to building my app, thus giving applications build & runtime the guarantee of these virtualized networks existence.
As an example imagine overlaying the core20 squashfs with
#/etc/netplan/00-snapnet.yaml
network:
version: 2
renderer: networkd
ethernets:
enp3s0:
addresses:
- 10.10.0.0/8
gateway4: 10.10.0.1
And
# /etc/hosts
10.10.*.* *.my-snap.internal
10.10.0.1 indexer.my-snap.internal
Then proceeding to have snap build, mount squashfs & systemd init. After which the applications build-process would start in it’s own isolated snap environment with access to these resources/interfaces/
If squashfs would still be shared though, this would likely not be possible? (or secure).