[newns] / newns

#!/bin/bash
# Copyright (C) 2017 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"

tmp="$(readlink -f "${BASH_SOURCE}")"; script_dir="${tmp%/*}"
if [[ ! $ERRHANDLE_PATH ]]; then
  ERRHANDLE_PATH="$script_dir"/../errhandle/err
fi
if [[ -s $ERRHANDLE_PATH ]]; then
  source $ERRHANDLE_PATH
else
  cd "$script_dir"
  if ! wget -O err 'https://iankelling.org/git/?p=errhandle;a=blob_plain;f=err;hb=HEAD'; then
    echo "$0: failed to get errhandle dependency" >&2
    exit 1
  fi
  source err
fi

usage() {
  cat <<EOF
usage: ${0##*/} [OPTS] start|stop NS_NAME
Nat a network namespace. systemd friendly

Also creates a mount namespace with a cloned /run/resolvconf.

-c, --create    Create or destroy a named network namespace. When running from
                the same network namespace as pid 1, this is set automatically.
                A systemd created private network is in a network namespace
                different than pid 1.
-n NETWORK      x.x.x /24 private network to use. If not specified, uses
                the first unused one starting at 10.173.1
-h, --help      Show this help and exit.

From a normal shell:

If we do create the netns, to join it with a shell, we can do (as root)
/usr/bin/nsenter --mount=/root/mount_namespaces/NAME --net=/var/run/netns/NAME bash

If you dont care about the mount namespace, you can leave that option off.


For systemd:

From within a systemd network namespace, we nat it to the outside. This
would be called from ExecStartPre, and or subsequent units called with
JoinsNamespaceOf= and PrivateNetwork=true.

If resolvconf is installed, we create a named mount namespace under
/root/mount_namespaces, so we can alter some system config for this
namespace. systemd command lines would be prefixed with:

/usr/bin/nsenter --mount=/root/mount_namespaces/NS_NAME

Note, this means that they can't run as unpriveledged users, but once
systemd 233 comes out, it will have a bind mount option from within unit
files, so the mount namespace won't be needed for most use cases, and I
will update the script to that the mount namespace not created unless a
flag is passed in. Patch welcome to add that flag before then.

This script has a dependency which you can download manually or it
will be automatically downloaded into the same directory.
It handles errors by printing stack trace and and cleaning up the namespaces.
To download manually,
git clone https://iankelling.org/git/errhandle
into an adjacent directory, or
export ERRHANDLE_PATH to point to the 'err' file in that repo.


Background on this project (you can skip if you like):

If we aren't creating a named network namespace, to join the namespace
with a shell, I use:
nsenter -n -m -t \$(pgrep PROCESS_IN_NAMESPACE) bash

Note: if I knew how to easily ask systemd what pid a unit has, i would
do that.

"ip netns new ..." also does a mount namespace, then bind
mounts each file/dir in /etc/netns/NS_NAME to /etc/NS_NAME. Note,
for openvpn having it's own resolv.conf by using it's user script which
calls resolvconf, this doesn't help much. What we actually want to do is
copy /run/resolvconf somehwere then bind mount it on top of
/run/resolvconf.


Note: for debugging, adding set -x is a pretty good option.

Please email me if you have a patches, bugs, feedback, or republish this
somewhere else: Ian Kelling <ian@iankelling.org>.
EOF
  exit ${1:-0}
}


#### begin arg parsing ####
create=false
temp=$(getopt -l help,create hcn: "$@") || usage 1
eval set -- "$temp"
while true; do
  case $1 in
    -c|--create) create=true; shift ;;
    -n) network=$2; shift 2 ;;
    -h|--help) usage ;;
    --) shift; break ;;
    *) echo "$0: Internal error!" ; exit 1 ;;
  esac
done
if (( $# != 2 )); then
  usage 1
fi

action=$1
nn=$2 # namespace name
#### end arg parsing ####

#### begin sanity checking ####
install_error=false
if ! type -p ip &>/dev/null; then
  echo "please install the iproute2 package"
  install_error=true
fi
if ! type -p iptables &>/dev/null; then
  echo "please install the iptables package"
  install_error=true
fi
if $install_error; then
  exit 1
fi
####   end sanity checking ####

v0=veth0-$nn
v1=veth1-$nn
ip_base=10.173

if ! $create && [[ $(readlink /proc/self/ns/net) == "$(readlink /proc/1/ns/net)" ]]; then
  create=true
fi

# make the default network namespace be named

mkdir -p /run/netns
target=/run/netns/default
if [[ ! -e $target && ! -L $target ]]; then
  # -f to avoid a race condition with running twice
  ln -sf /proc/1/ns/net $target
fi

ipd() { ip -n default "$@"; }


# otherwise we are already in the network namespace and it's unnamed.
if $create; then
  ipnnargs="-n $nn"
fi
# run ip in the network namespace
ipnn() { ip $ipnnargs "$@"; }

# default network namespace exec
dexec() { ip netns exec default "$@"; }
# mount namespace exec
mexec() { /usr/bin/nsenter --mount=/root/mount_namespaces/$nn "$@"; }


nat() {
  # note, in a previous commit i specified the output interface with -o,
  # but that broke things when my gateway interface changed, and I can't
  # see any advantage to it, so I removed it.
  dexec iptables -t nat $1 POSTROUTING -s $network.0/24 -j MASQUERADE \
        -m comment --comment "systemd network namespace nat"
}

# d = default
diptables-add() {
  if ! dexec iptables -C "$@" &>/dev/null; then
    dexec iptables -I "$@"
  fi

}

find_network() {
  if [[ $network ]]; then
    return
  fi
  found=false
  existing=false
  ips="$(ipd addr show | awk '$1 == "inet" {print $2}')"
  for ((i=1; i <= 254; i++)); do
    network=$ip_base.$i
    if printf "%s\n" "$ips" | grep "^${network//./\\.}" >/dev/null; then
      existing=true
    else
      found=true
      break
    fi
  done
}

start() {
  find_network
  if ! $found; then
    echo "$0: error: no open network found"
    exit 1
  fi

  #### begin mount namespace setup ####
  mkdir -p /root/mount_namespaces
  if ! mountpoint /root/mount_namespaces >/dev/null; then
    mount --bind /root/mount_namespaces /root/mount_namespaces
  fi
  # note: This is outside the mount condition because I've mysteriously
  # had this become shared instead of private, perhaps it
  # got remounted somehow and lost the setting.
  mount --make-private /root/mount_namespaces
  if [[ ! -e /root/mount_namespaces/$nn ]]; then
    touch /root/mount_namespaces/$nn
  fi
  if ! mountpoint /root/mount_namespaces/$nn >/dev/null; then
    # Here, we specify that we only want mount changes changes under
    # this mountpoint to be propagated into the bind, but changes
    # from within the bind do not propagate to outside the bind.
    #
    # slave is documented in.
    # /usr/share/doc/linux-doc-4.9/Documentation/filesystems/sharedsubtree.txt.gz
    # documentation on propagation is a bit weird because it
    # confusingly talks about binds, namespaces, and mirrors (which
    # seems to be just another name for bind), shared subtrees
    # (which seems to a term for binds and namespaces), and does not
    # properly specify whether the documentation applies to binds,
    # namespaces, or both. Notably, propagation for binds is marked
    # on the original mount point, and propagation for a mount
    # namespace is marked on mounts within the namespace.
    unshare --propagation slave --mount=/root/mount_namespaces/$nn /bin/true
  fi

  ####   end mount namespace setup ####


  if $create; then
    ip netns add $nn
    ip -n $nn link set dev lo up
  fi

  echo 1 | dexec dd of=/proc/sys/net/ipv4/ip_forward status=none

  # docker helpfully changes the default FORWARD to drop...
  diptables-add FORWARD -i $v0 -j ACCEPT
  diptables-add FORWARD -o $v0 -j ACCEPT


  err-cleanup() { stop; }
  ipnn link add $v0 type veth peer name $v1
  ipnn link set $v0 netns default
  ipd addr add $network.1/24 dev $v0
  ipd link set $v0 up
  nat -C &>/dev/null || nat -A
  ipnn addr add $network.2/24 dev $v1
  ipnn link set $v1 up
  ipnn route add default via $network.1

  ###### begin setup resolvconf
  if [[ -e /run/resolvconf ]]; then # resolvconf probably installed
    resolv_copy=/root/resolvconf-$nn

    # this condition should never happen, just coding defensively
    if mexec mountpoint /run/resolvconf &>/dev/null; then
      mexec umount /run/resolvconf
    fi
    cp -aT /run/resolvconf $resolv_copy
    if ! mexec mount -o bind $resolv_copy /run/resolvconf; then
      echo "error: resolv-conf bindmount failed"
      exit 1
    fi
    # if running dnsmasq, we have 127.0.0.1 for dns, but it can't listen on the loopback
    # in the network namespace, so adjust the address.
    if mexec [ -s /run/resolvconf/interface/lo.dnsmasq ]; then
      mexec sed --follow-symlinks -i "s/nameserver 127\..*/nameserver $network.1/" /run/resolvconf/interface/lo.dnsmasq
      mexec resolvconf -u
    fi
    # and in debian based distros at least, it runs with --local-service, and needs a restart
    # to know about the new local network
    if [[ $(systemctl --no-pager show -p ActiveState dnsmasq ) == ActiveState=active ]]; then
      systemctl restart dnsmasq
    fi

    # background: if we did this in openvpn's resolv-conf script, we could guard it in
    # if capsh --print|grep '\bcap_sys_admin\b' &>/dev/null
    # and we could get $nn by
    # config_basename=${config%%.*}
    # config_basename=${config_basename##*/}
    # but dnsmasq forces us to do it earlier.

  fi # end if [[ -e /run/resolvconf ]]
  ######  end setup resolvconf


}

stop() {
  if ipd link list $v0 &>/dev/null; then
    # this also deletes $v1 and the route we added.
    ipd link del $v0
  fi
  find_network
  if ! $existing; then
    if nat -C &>/dev/null; then nat -D; fi
  fi
  dexec iptables -D FORWARD -i $v0 -j ACCEPT &>/dev/null ||:
  if $create && [[ -e /var/run/netns/$nn ]]; then
    ip netns del $nn
  fi

  # not sure this is necessary since we are tearing down the mount namespace
  if mexec mountpoint /run/resolvconf &>/dev/null; then
    mexec umount /run/resolvconf
  fi

  if mountpoint /root/mount_namespaces/$nn >/dev/null; then
    umount /root/mount_namespaces/$nn
  fi
}

case $action in
  start|stop)
    $action
    ;;
  *)
    echo "$0: error: unsupported action"
    exit 1
    ;;
esac