From 914cdb74031df6ae068ed87376c47944fbfaf934 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Thu, 19 Jan 2017 02:25:39 -0800 Subject: [PATCH] better documentation --- newns | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/newns b/newns index aff500b..31f1b52 100755 --- a/newns +++ b/newns @@ -43,30 +43,40 @@ Setup new or systemd created network namespace with nat and mount namespace -c, --create Create network namespace. For running outside systemd private net. -h, --help Show this help and exit. -From within systemd network namespace, nat it to the outside. If given +From within systemd network namespace, nat it to the outside. If given -c, or if in the default network namespace, create a named network namepace natted to the current netns. +Uses /24 network, finding the first locally unused one starting at +10.173.0. + Also create a named mount namespace under /root/mount_namespaces, so we can alter some system config for this namespace. Subsequent systemd command lines would be prefixed with: /usr/bin/nsenter --mount=/root/mount_namespaces/NETNS_NAME +Note, this means that they can't run as unpriveledged users, but once +systemd 233 comes out, it will have a bind mount option from within unit +files, so the mount namespace won't be needed for most use cases, and I +will update the script to that the mount namespace not created unless a +flag is passed in. Patch welcome to add that flag before then. -"ip netns new ..." also does a mount namespace, then bind mounts each -thing in /etc/netns/NETNS_NAME to /etc/NETNS_NAME. Note, for openvpn having it's own -resolv.conf, this doesn't help much. What we actually want to do is copy -/run/resolvconf somehwere, then bind mount it on top of /run/resolvconf. - -Once systemd 233 comes out, it will have a bind mount option from within -unit files, so the mount namespace won't be needed for this use case. - -Recommmended dependency of errhandle to print stack trace on error: +A recommmended dependency of this script is my other repo named "errhandle", +which prints stack trace on error, and calls a cleanup function: https://iankelling.org/git/?p=errhandle, set ERRHANDLE_PATH, or put it in a directory adjacent to the absolute, resolved directory this file is in. +Background: "ip netns new ..." also does a mount namespace, then bind +mounts each file/dir in /etc/netns/NETNS_NAME to /etc/NETNS_NAME. Note, +for openvpn having it's own resolv.conf by using it's user script which +calls resolvconf, this doesn't help much. What we actually want to do is +copy /run/resolvconf somehwere then bind mount it on top of +/run/resolvconf. + +Please email me if you have a patches, bugs, feedback, or republish this +somewhere else: Ian Kelling . EOF exit ${1:-0} } -- 2.30.2