0

I have an AppImage which I need to run 3 instances of, concurrently. Each instance will use it's own profile (Home directory). That's all very easy:

HOME=/home/user/home AppName.appimage

Now the trouble is that this app open two network ports. Hence, when I try to run instance number-2 it fails, because the said ports are already in use, by instance-1.

As per my research, I think I can create network namespace isolation. Where each isolation is able to connect to the internet, but is disconnected from each other.

Would appreciate if someone can help guide me and advise how to set it up

PS: using docker or VM will not be viable.

Improve this question
2
  • If you can set up network namespaces, why can't you use docker? Docker is a convenient wrapper around Linux namespace facilities and it would make the solution much easier.
    – larsks
    Commented May 22, 2024 at 17:55
  • The appimage that I wish to run is a GUI app. Docker keeps failing (unless you can guide me otherwise)
    – rogerwhite
    Commented May 22, 2024 at 23:57

1 Answer 1

Reset to default
0

Creating a new namespace is done with the ip netns command

eg

ip netns add newnamespace

In order to let the namespace talk to the rest of the network it needs a veth endpoint inside the namespace. This basically creates a virtual “point to point” connection, and you can place one end inside the namespace and leave the other in the “root” namespace. Let’s call the two network points space-root and space-ns.

ip link add space-root type veth peer name space-ns
ip link set space-ns netns newnamespace

Now each interface needs an IP address. Let’s use the 192.168.200.0/24 network. And while we’re at it we can add a loopback and a default route inside the container.

ip addr add 192.168.200.1/24 dev space-root
ip link set space-root up

ip netns exec newnamespace ip addr add 192.168.200.2/24 dev space-ns
ip netns exec newnamespace ip link set space-ns up
ip netns exec newnamespace ip link set lo up
ip netns exec newnamespace ip route add default via 192.168.200.1

This will let the namespace talk to the parent. For it to see the rest of the network (or the internet) we need routes or NAT. In my use case ( https://www.sweharris.org/post/2023-04-29-netns-ip4only/ ) I only needed outgoing connections so I used NAT, which I was able to set up with iptables

echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable masquerading of 192.168.200.0
iptables -t nat -A POSTROUTING -s 192.168.200.0/255.255.255.0 -o eth0 -j MASQUERADE

# Allow forwarding between eth0 and space-root
iptables -A FORWARD -i eth0 -o space-root -j ACCEPT
iptables -A FORWARD -o eth0 -i space-root -j ACCEPT

You can enter the namespace with ip netns exec

e.g.

$ sudo ip netns exec newnamespace ping -c 1 www.google.com
PING www.google.com (142.251.40.132) 56(84) bytes of data.
64 bytes from lga25s80-in-f4.1e100.net (142.251.40.132): icmp_seq=1 ttl=117 time=4.47 ms

--- www.google.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.474/4.474/4.474/0.000 ms

Note this runs as root ('cos of the sudo) so you need to be aware of this and maybe drop permissions. Or create a wrapper program with cap_sys_admin admins permission.

Improve this answer
2
  • Thanks Stephen.. The ping failed ping: www.google.com: Name or service not known I also tried to ping 8.8.8.8, that too failed
    – rogerwhite
    Commented May 22, 2024 at 23:59
  • In the write up web-page I linked to, there's a couple of validation steps to verify the IP addresses are set up right, etc. If you're running firewalld or nftables or have other iptable rules set then you'll also need to take that into account when doing the NAT setup.
    – Stephen Harris
    Commented May 23, 2024 at 1:08

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.