1. 9

  2. 1

    Does anyone know of a way to do network isolation on macOS?

    1. 1

      Does anyone know of a good, accessible primer on Linux namespaces? I’ve been using Docker for years, and I have a conceptual understanding of what namespaces do, but I have no idea what the primitives are or how they work. In particular, this post thoroughly confused me as it seemed to be alternating back and forth between processes and threads as the operand of namespaces. I’m also confused about the “if we have a process, we can just create the namespace in /proc/self, but we don’t have one, so we create it in /var/run/… and then bind mount it into /proc/self” (I don’t see why we need to bind mount instead of writing directly to /proc/self/…).

      1. 2

        Hi! Sorry for a slow reply; I was in transit. And sorry also to have caused you more confusion. Two key points:

        1. Every process can only have one namespace associated with it, for each kind of namespace (network, process, mount). These are always presented as files under /proc/self/ns.
        2. I only touched on this briefly in the article, but for Linux, threads are only a special kind of process (commonly we’d say they are “light weight processes”).

        For reading about namespaces, the single best place to start is namespaces(7). It explains what /proc/self is all about and also explains why the bind mounting matters.

        For reading about threads versus processes, I found Eli Bendersky’s article to be a good overview.

        Do let me know if those notes are a help – and thanks for the feedback! I’m not yet sure how to help clarify things in my own article, but hopefully this is a start.