untested: ditch the many years of buggy systemd JoinsNamespaceOf

author Ian Kelling <ian@iankelling.org>

Sat, 14 Feb 2026 10:55:38 +0000 (05:55 -0500)

committer Ian Kelling <ian@iankelling.org>

Sat, 14 Feb 2026 10:55:38 +0000 (05:55 -0500)
author Ian Kelling <ian@iankelling.org>
Sat, 14 Feb 2026 10:55:38 +0000 (05:55 -0500)
committer Ian Kelling <ian@iankelling.org>
Sat, 14 Feb 2026 10:55:38 +0000 (05:55 -0500)
diff --git a/mail-setup b/mail-setup

index 8aed1c4d2379c5c99fdeef13214275bfaa7090f8..8ded245a46dcbca17b15b66500a0b0d8bf12e635 100755 (executable)
--- a/mail-setup
+++ b/mail-setup
@@ -773,13 +773,11 @@ case $HOSTNAME in
      u /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
  [Unit]
  Requires=mailnn.service
-JoinsNamespaceOf=mailnn.service
  BindsTo=mailnn.service
  StartLimitIntervalSec=0
  
  [Service]
-ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
-PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/mail
  # i dont think we need any of these, but it doesnt hurt to stay consistent
  BindPaths=$bindpaths
  
@@ -800,7 +798,6 @@ Documentation=man:openvpn(8)
  Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
  Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
  # needed to continually restatr
-JoinsNamespaceOf=mailnn.service
  BindsTo=mailnn.service
  StartLimitIntervalSec=0
  
@@ -809,13 +806,12 @@ Type=notify
  RuntimeDirectory=openvpn-client
  RuntimeDirectoryMode=0710
  WorkingDirectory=/etc/openvpn/client
-ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
+NetworkNamespacePath=/var/run/netns/mail
  ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/mail.conf
  #CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
  LimitNPROC=10
  # DeviceAllow=/dev/null rw
  # DeviceAllow=/dev/net/tun rw
-PrivateNetwork=true
  # in the network namespace, we cant connect to systemd-resolved on 127.0.0.53,
  # because of
  # https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
@@ -838,18 +834,14 @@ EOF
  
  u /etc/systemd/system/mailnnroute.service <<'EOF'
  [Unit]
-Description=Network routing for mailnn
-After=syslog.target network-online.target mailnn.service
-Wants=network-online.target
-JoinsNamespaceOf=mailnn.service
-BindsTo=mailnn.service
+Description=Initial setup of mail netns
+After=network.target
+Wants=network.target
  StartLimitIntervalSec=0
  
  [Service]
-Type=simple
+Type=oneshot
  RemainAfterExit=true
-PrivateNetwork=true
-ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
  ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
  ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
  Restart=always
@@ -860,27 +852,24 @@ RestartSec=20
  WantedBy=multi-user.target
  EOF
  
-#
  u /etc/systemd/system/mailnn.service <<'EOF'
  [Unit]
  Description=Network Namespace for mail vpn service that will live forever and cant fail
-# These are the same as unbound.service, except no wants=, which seems
+# These are the same as unbound.service, plus mailnnroute, except no wants=, which seems
  # to me could only make it run earlier, not later. Note, that if we had an
  # After= for a later target
  # than nss-lookup, systemd would just ignore unbound's After=mailnn.service and
  # start it first. It seems logically, that we should not need the Before= here,
  # but I'm not confident that systemd would do something unexpected and still start
-# unbound earlier than this. Also, it seems there is a bug in systemd 255.4 (ecne),
-# where if mailnn is disabled and is started by unbound's dependency, then we stop
-# unbound, change it to joinsnamespaceof=mailnn, then start it, it won't join the
-# existing namespace. So, for now, just avoid doing that.
-After=network.target
+# unbound earlier than this.
+After=network.target mailnnroute.service
+Wants=mailnnroute.service
  Before=nss-lookup.target
  
  [Service]
  Type=simple
-PrivateNetwork=true
  ExecStart=/bin/sleep infinity
+NetworkNamespacePath=/var/run/netns/mail
  
  [Install]
  WantedBy=multi-user.target
@@ -971,13 +960,11 @@ if ! serverp; then
    u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
  [Unit]
  After=mailnn.service
-JoinsNamespaceOf=mailnn.service
  BindsTo=mailnn.service
  StartLimitIntervalSec=0
  
  [Service]
-ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
-PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/mail
  # note the nsswitch bind is actually not needed for bk, but
  # its the same file so it does no harm.
  BindPaths=$bindpaths
@@ -1027,13 +1014,11 @@ if nn-hostp; then
  
  Wants=$vpnser
  After=network.target mailnn.service $vpnser
-JoinsNamespaceOf=mailnn.service
  BindsTo=mailnn.service
  StartLimitIntervalSec=0
  
  [Service]
-ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
-PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/mail
  # note the nsswitch bind is actually not needed for bk, but
  # its the same file so it does no harm.
  BindPaths=$bindpaths
@@ -2249,12 +2234,10 @@ if mailhost; then
  After=network.target network-online.target mailnn.service $vpnser
  
  Wants=$vpnser
-JoinsNamespaceOf=mailnn.service
  StartLimitIntervalSec=0
  
  [Service]
-ExecStartPre=+/usr/local/bin/joins-namespace-of-check mailnn
-PrivateNetwork=true
+NetworkNamespacePath=/var/run/netns/mail
  BindPaths=$bindpaths
  Restart=always
  # time to sleep before restarting a service
author	Ian Kelling <ian@iankelling.org>
	Sat, 14 Feb 2026 10:55:38 +0000 (05:55 -0500)
committer	Ian Kelling <ian@iankelling.org>
	Sat, 14 Feb 2026 10:55:38 +0000 (05:55 -0500)