Things to do

  • Aliases 3000 / aliases.peterjin.org: is it insensitive?
  • Subnetting smaller than a /64; to what extent should this be allowed? For a normal, physical subnet, no smaller than /64. However, for logical subnets where the bits of the IP addresses are interpreted by things other than routers (e.g. IPv6 Things), this may be acceptable.
  • Future expansion of Aliases 3000, IPv6 Things, Traceroute Text Generator, other IPv6 web apps
  • Use case for socketbox -- SSH sessions with inetd
  • Remove GitLab from apps-vm5; suggest replacing with cgit or similar, allowing for future expansion of IPv6-only services.
  • /run/acme-challenge nginx virtual host trick -- remember to mkdir this in /etc/rc.local on startup. Done: Snippets:Nginx universal port 80 redirect
  • Hurricane tunnel on apps-vm3, ip route add local with the tunnel's "routed /48" was probably a predecessor to IPv6 Things, but it never took off due to HE/Cogent peering dispute.
  • Also announce 2602:806:a000::/48 from apps-vm6 for consistency.
  • Cookie isolation -- use cookies beginning with __Host-? Clear-Site-Data?
  • Install math and visual editor extensions
  • "300" IPv6 addresses
  • Concept of "relatively privileged" containers in Linux (i.e. a privileged container running in an unprivileged container)
  • Rationale behind not using overlayfs for containers (mostly due to /usr usually being read-only and /var usually being read-write; can still use overlayfs/Docker for testing purposes, to see the exact set of files that the container modifies; to prevent symlink-based security issues, run only when container is stopped and check file hierarchies using the "find" command).
  • Rationale behind using tmpfs as a root for containers (root user of that filesystem is always based on the UID/GID maps unlike with overlayfs)
  • Add support for opening various types of files within ctrtool. For example, we could open one or more listening sockets that would be inherited into the container, then use mechanisms like systemd socket activation ($LISTEN_FDS) or a container-local instance of socketbox to allow container daemons to listen on IP addresses and port numbers in the original network namespace. Also useful is execveat(), where a host file could be executed from a container (obviously with the container's privileges) without needing to create a bind mount. The former could be accomplished using a separate program, but the latter might be useful to integrate within ctrtool itself as it might be useful to set the close-on-exec flag on that file descriptor (also allow this flag to not be set in case that file is a script that begins with #!) Done (ns_open_file and --exec-file-host)
  • Use getopt_long in ctrtool (we're already running out of letter flags, especially with container-launcher)
  • Drop-in bindings for the socketbox "A" and "B" protocols to use in existing applications, preferably within a shared library ("libsocketbox_s.so.0")
  • Maintain private forks of apache, nginx, and other server applications to support the socketbox drop-in bindings
  • Add support for folding IPv6 addresses to a common prefix in socketbox Python (while preserving the interface ID), and matching of only the interface ID in the C version of socketbox, to support dynamic prefix delegation use cases
  • Document the actual sources for the language detector and guess the word game.
  • Document how I build autoserver myself, using a vm with docker in it for building rootfs. One day it should be safe to just run all of the tools in the vm.
  • SECCOMP user notify program to allow processes in a container to create sockets in arbitrary network namespaces.
  • Document the primitives of Linux networking (routing, switching, firewall, NAT, etc.)
  • Rewrite pretty much everything in Golang.
  • WireGuard network driver for QEMU. (The setup is as if the WireGuard device were to be connected directly to QEMU's TAP network driver device (after converting between layer 2 and 3), but without actually creating WireGuard or TAP devices in the host's kernel. Instead, the connection is internal, and all that is exposed is the WireGuard UDP socket.)
  • Document docker-in-ctrtool, systemd-in-ctrtool, and socketbox with docker-in-ctrtool containers.
  • Document isc-dhcp-client/server IPv6 prefix delegation script examples.
  • Document the dilemma of needing a container to have all privileges (i.e. a full set of capabilities, including CAP_SYS_ADMIN, CAP_NET_RAW, and CAP_NET_ADMIN) in its user namespace, but also be able to bind to privileged ports less than 1024 in its network namespace, while also be prevented from being able to perform ARP or NDP spoofing attacks (it was a macvlan-like setup on the main outbound interface, where such attacks could impact the container host); namely, in such a scenario, which user namespace should the network namespace be owned by? (This was, in fact, another circumstance that led to the creation of Socketbox.)