usage() {
cat <<EOF
usage: ${0##*/} [OPTS] start|stop|show NS_NAME
-Nat a network namespace. systemd friendly
-
-Also creates a mount namespace with a cloned /run/resolvconf.
+Create and/or nat a network namespace.
Arguments:
namespace in that case.
-n NETWORK x.x.x /24 private network to use. If not specified, uses
the first unused one starting at 10.173.1
+-m DIR:BIND_DIR Like BindReadOnlyPaths in systemd. Assumes norbind. Untested. Multiple options allowed.
+ todo: figure out how to set norbind.
-h, --help Show this help and exit.
From a normal shell:
-If we do create the netns, to join it with a shell, we can do (as root)
+If we do create the netns (and optionally mount ns),
+to join it with a shell, we can do (as root):
/usr/bin/nsenter --mount=/run/mount-namespaces/NAME --net=/var/run/netns/NAME bash
If you dont care about the mount namespace, you can leave that option off.
For systemd:
-From within a systemd network namespace, we nat it to the outside. This
+From within a systemd created network namespace, we nat it to the outside. This
would be called from ExecStartPre, and or subsequent units called with
-JoinsNamespaceOf= and PrivateNetwork=true.
-
-If resolvconf is installed, we create a named mount namespace under
-/run/mount-namespaces, so we can alter some system config for this
-namespace. systemd command lines would be prefixed with:
-
-/usr/bin/nsenter --mount=/run/mount-namespaces/NS_NAME
-
-Note, this means that they can't run as unpriveledged users, but once
-systemd 233 comes out, it will have a bind mount option from within unit
-files, so the mount namespace won't be needed for most use cases, and I
-will update the script to that the mount namespace not created unless a
-flag is passed in. Patch welcome to add that flag before then.
+JoinsNamespaceOf= and PrivateNetwork=true. Or with newer systemd, create the
+network namespace with this script, then join it with
+NetworkNamespacePath=/var/run/netns/NAME
This script has a dependency
Background on this project (you can skip if you like):
-If we aren't creating a named network namespace, to join the namespace
-with a shell, I use:
+Joining an existing network + mount namespact can also be done with:
nsenter -n -m -t \$(pgrep PROCESS_IN_NAMESPACE) bash
-Note: if I knew how to easily ask systemd what pid a unit has, i would
-do that.
-
-"ip netns new ..." also does a mount namespace, then bind
-mounts each file/dir in /etc/netns/NS_NAME to /etc/NS_NAME. Note,
-for openvpn having it's own resolv.conf by using it's user script which
-calls resolvconf, this doesn't help much. What we actually want to do is
-copy /run/resolvconf somehwere then bind mount it on top of
-/run/resolvconf.
+Note: "ip netns new ..." also does a mount namespace, then bind
+mounts each file/dir in /etc/netns/NS_NAME to /etc/NS_NAME.
Note: for debugging, adding set -x is a pretty good option.
-TODO: make "start" be idempotent.
-
Please email me if you have a patches, bugs, feedback, or republish this
somewhere else: Ian Kelling <ian@iankelling.org>.
EOF
#### begin arg parsing ####
create=false
-temp=$(getopt -l help,create hcdn: "$@") || usage 1
+declare -a bind_srcs bind_dests
+temp=$(getopt -l help,create hcdm:n: "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-c|--create) create=true; shift ;;
+ -m)
+ bind_srcs+=( "${2#:*}" )
+ bind_dests+=( "${2%:*}" )
+ shift 2
+ ;;
-n) network=$2; shift 2 ;;
-h|--help) usage ;;
--) shift; break ;;
cmd=$1
net=$2
dev=$3
- if ! $cmd addr show dev $dev | sed 's/^ *//;s/ *$//' | grep -xF "inet $net scope global $dev"; then
+ if ! $cmd addr show dev $dev | sed 's/^ *//;s/ *$//' | grep -xFq "inet $net scope global $dev"; then
$cmd addr add $net dev $dev
fi
}
+check-default-route() {
+ default_route_done=false
+ default_route=$(ipnn route show default | sed -r 's,^[[:space:]]+|[[:space:]]+$,,')
+ if [[ $default_route == "default via $network.1 dev $v1" ]]; then
+ default_route_done=true
+ fi
+}
+
start() {
find-network
#### begin mount namespace setup ####
- mkdir -p /run/mount-namespaces
- if ! mountpoint /run/mount-namespaces >/dev/null; then
- mount --bind /run/mount-namespaces /run/mount-namespaces
- fi
- # note: This is outside the mount condition because I've mysteriously
- # had this become shared instead of private, perhaps it
- # got remounted somehow and lost the setting.
- mount --make-private /run/mount-namespaces
- if [[ ! -e /run/mount-namespaces/$nn ]]; then
- touch /run/mount-namespaces/$nn
- fi
- if ! mountpoint /run/mount-namespaces/$nn >/dev/null; then
- # Here, we specify that we only want mount changes changes under
- # this mountpoint to be propagated into the bind, but changes
- # from within the bind do not propagate to outside the bind.
- #
- # slave is documented in.
- # /usr/share/doc/linux-doc-4.9/Documentation/filesystems/sharedsubtree.txt.gz
- # documentation on propagation is a bit weird because it
- # confusingly talks about binds, namespaces, and mirrors (which
- # seems to be just another name for bind), shared subtrees
- # (which seems to be a term for binds and namespaces), and does not
- # properly specify whether the documentation applies to binds,
- # namespaces, or both. Notably, propagation for binds is marked
- # on the original mount point, and propagation for a mount
- # namespace is marked on mounts within the namespace.
- unshare --propagation slave --mount=/run/mount-namespaces/$nn /bin/true
+ if (( ${#bind_srcs[@]} )); then
+ mkdir -p /run/mount-namespaces
+ if ! mountpoint /run/mount-namespaces >/dev/null; then
+ mount --bind /run/mount-namespaces /run/mount-namespaces
+ fi
+ # note: This is outside the mount condition because I've mysteriously
+ # had this become shared instead of private, perhaps it
+ # got remounted somehow and lost the setting.
+ mount --make-private /run/mount-namespaces
+ if [[ ! -e /run/mount-namespaces/$nn ]]; then
+ touch /run/mount-namespaces/$nn
+ fi
+ if ! mountpoint /run/mount-namespaces/$nn >/dev/null; then
+ # Here, we specify that we only want mount changes changes under
+ # this mountpoint to be propagated into the bind, but changes
+ # from within the bind do not propagate to outside the bind.
+ #
+ # slave is documented in.
+ # /usr/share/doc/linux-doc-4.9/Documentation/filesystems/sharedsubtree.txt.gz
+ # documentation on propagation is a bit weird because it
+ # confusingly talks about binds, namespaces, and mirrors (which
+ # seems to be just another name for bind), shared subtrees
+ # (which seems to be a term for binds and namespaces), and does not
+ # properly specify whether the documentation applies to binds,
+ # namespaces, or both. Notably, propagation for binds is marked
+ # on the original mount point, and propagation for a mount
+ # namespace is marked on mounts within the namespace.
+ unshare --propagation slave --mount=/run/mount-namespaces/$nn /bin/true
+ fi
fi
#### end mount namespace setup ####
if $create; then
- if ! ip netns | grep -xF $nn &>/dev/null; then
+ if ! ip netns | awk '{print $1}' | grep -xF $nn &>/dev/null; then
ip netns add $nn
fi
ip -n $nn link set dev lo up
err-cleanup() { stop; }
- ipnn link add $v0 type veth peer name $v1
- ipnn link set $v0 netns default
+ if ! ip link show $v0 &>/dev/null; then
+ ipnn link add $v0 type veth peer name $v1
+ ipnn link set $v0 netns default
+ fi
ip-add ipd $network.1/24 $v0
ipd link set $v0 up
nat -C &>/dev/null || nat -A
ip-add ipnn $network.2/24 $v1
ipnn link set $v1 up
cmd="ipnn route add default via $network.1"
- $cmd
- fails=0
- max_fails=2
+ tries=0
+ max_tries=3
# I've had adding the default route mysteriously fail on boot, so
# here we check that it succeeded, do a sleep and a retry.
while true; do
- default_route=$(ipnn route show default | sed -r 's,^[[:space:]]+|[[:space:]]+$,,')
- if [[ $default_route != "default via $network.1 dev $v1" ]]; then
- fails=$((fails + 1))
- else
+ check-default-route
+ if $default_route_done; then
break
+ else
+ $cmd
+ tries=$((tries + 1))
fi
- if (( fails >= max_fails )); then
- echo "$0: ERROR: default route added but not found, retried $max_fails. expected route: 'default via $network.1 dev $v1', found: '$default_route'"
- # Note: for debugging, if you have a systemd unit which tears down
- # the newns upon failure, you may want to uncomment the break so
- # that we proceed and can inspect the system. break
+ if (( tries >= max_tries )); then
+ echo "$0: ERROR: default route added but not found, tried $max_tries. expected route: 'default via $network.1 dev $v1', found: '$default_route'"
exit 1
else
sleep 1
$cmd
fi
done
- if (( fails >= 1 )); then
- echo "$0: WARNING: route added but not found until retried $max_fails times: $cmd"
+ if (( tries >= 2 )); then
+ echo "$0: WARNING: route added but not found until retried $max_tries times: $cmd"
fi
-
- ###### begin setup resolvconf
- if [[ -e /run/resolvconf ]]; then # resolvconf probably installed
- resolv_copy=/root/resolvconf-$nn
-
- # this condition should never happen, just coding defensively
- if mexec mountpoint /run/resolvconf &>/dev/null; then
- mexec umount /run/resolvconf
- fi
- cp -aT /run/resolvconf $resolv_copy
- if ! mexec mount -o bind $resolv_copy /run/resolvconf; then
- echo "error: resolv-conf bindmount failed"
- exit 1
- fi
- # if running dnsmasq, we have 127.0.0.1 for dns, but it can't listen on the loopback
- # in the network namespace, so adjust the address.
- if mexec [ -s /run/resolvconf/interface/lo.dnsmasq ]; then
- mexec sed --follow-symlinks -i "s/nameserver 127\..*/nameserver $network.1/" /run/resolvconf/interface/lo.dnsmasq
- mexec resolvconf -u
- fi
- # and in debian based distros at least, it runs with --local-service, and needs a restart
- # to know about the new local network
- if [[ $(systemctl --no-pager show -p ActiveState dnsmasq ) == ActiveState=active ]]; then
- systemctl restart dnsmasq
- fi
-
- # background: if we did this in openvpn's resolv-conf script, we could guard it in
- # if capsh --print|grep '\bcap_sys_admin\b' &>/dev/null
- # and we could get $nn by
- # config_basename=${config%%.*}
- # config_basename=${config_basename##*/}
- # but dnsmasq forces us to do it earlier.
-
- fi # end if [[ -e /run/resolvconf ]]
- ###### end setup resolvconf
+ for ((i=0; i < ${#bind_srcs[@]}; i++ )); do
+ mexec mount -o bind ${bind_srcs[$i]} ${bind_dests[$i]}
+ done
}
stop() {
ip netns del $nn
fi
- # not sure this is necessary since we are tearing down the mount namespace
- if mexec mountpoint /run/resolvconf &>/dev/null; then
- mexec umount /run/resolvconf
- fi
-
+ # todo: do we need to umount the bind mounts within the mount namespace first?
if mountpoint /run/mount-namespaces/$nn >/dev/null; then
umount /run/mount-namespaces/$nn
fi
m dexec iptables -t nat -C POSTROUTING -s $network.0/24 -j MASQUERADE \
-m comment --comment "systemd network namespace nat" ||:
m dexec iptables -C FORWARD -i $v0 -j ACCEPT
- m mexec mountpoint /run/resolvconf
+ m mexec mount
m mountpoint /run/mount-namespaces/$nn
}
iankelling.org / git / newns / commitdiff