[newns] / newns

#!/bin/bash
# Copyright (C) 2017 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"

if [[ ! $ERRHANDLE_PATH ]]; then
    ERRHANDLE_PATH=$(readlink -f "${BASH_SOURCE}")
    ERRHANDLE_PATH=$(readlink -f ${ERRHANDLE_PATH%/*}/../errhandle)
fi
err_sourced=true
for p in $ERRHANDLE_PATH/{errcatch-function,bash-trace-function}; do
    if [[ -e $p ]]; then
        source $p
    else
        err_sourced=false
    fi
done
if $err_sourced; then
    errcatch
else
    set -eE -o pipefail
    trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
fi

usage() {
    cat <<EOF
usage: ${0##*/} [OPTS] start|stop NS_NAME
Setup new or systemd created network namespace with nat and mount namespace

-c, --create    Create network namespace. For running outside systemd private net.
-h, --help      Show this help and exit.

From within a systemd network namespace, nat it to the outside. This
would be called from ExecStartPre, and or subsequent units called with
JoinsNamespaceOf= and PrivateNetwork=true.

If given -c, or if in the default network namespace, create a named
network namepace natted to the current netns.

Uses /24 network, finding the first locally unused one starting at
10.173.0.

Also create a named mount namespace under /root/mount_namespaces, so we
can alter some system config for this namespace. Subsequent systemd
command lines would be prefixed with:

/usr/bin/nsenter --mount=/root/mount_namespaces/NS_NAME

Note, this means that they can't run as unpriveledged users, but once
systemd 233 comes out, it will have a bind mount option from within unit
files, so the mount namespace won't be needed for most use cases, and I
will update the script to that the mount namespace not created unless a
flag is passed in. Patch welcome to add that flag before then.

A recommmended dependency of this script is my other repo named "errhandle",
which prints stack trace on error, and calls a cleanup function:
https://iankelling.org/git/?p=errhandle, set ERRHANDLE_PATH, or put it
in a directory adjacent to the absolute, resolved directory this file is
in.

Background:

This script does not make the namespace be named like ip does, because
the naming is not necessary, although it could have with some more
work. For debugging and joining the namespace with a bash shell, I use
nsenter -n -m -t $(pgrep PROCESS_IN_NAMESPACE).  Note: if I knew how to
easily ask systemd what pid a unit has, i would do that.

"ip netns new ..." also does a mount namespace, then bind
mounts each file/dir in /etc/netns/NS_NAME to /etc/NS_NAME. Note,
for openvpn having it's own resolv.conf by using it's user script which
calls resolvconf, this doesn't help much. What we actually want to do is
copy /run/resolvconf somehwere then bind mount it on top of
/run/resolvconf.

Please email me if you have a patches, bugs, feedback, or republish this
somewhere else: Ian Kelling <ian@iankelling.org>.
EOF
    exit ${1:-0}
}


#### begin arg parsing ####
create=false
temp=$(getopt -l help,create hc "$@") || usage 1
eval set -- "$temp"
while true; do
    case $1 in
        -c|--create) create=true; shift ;;
        -h|--help) usage ;;
        --) shift; break ;;
        *) echo "$0: Internal error!" ; exit 1 ;;
    esac
done
if (( $# != 2 )); then
    usage 1
fi

action=$1
nn=$2 # namespace name
#### end arg parsing ####

#### begin sanity checking ####
install_error=false
if ! type -p ip &>/dev/null; then
    echo "please install the iproute2 package"
    install_error=true
fi
if ! type -p iptables &>/dev/null; then
    echo "please install the iptables package"
    install_error=true
fi
if $install_error; then
    exit 1
fi
####   end sanity checking ####


v0=veth0-$nn
v1=veth1-$nn
ip_base=10.173

if ! $create && [[ $(readlink /proc/self/ns/net) == "$(readlink /proc/1/ns/net)" ]]; then
    create=true
fi

# make the default network namespace be named
target=/run/netns/default
if [[ ! -e $target && ! -L $target ]]; then
    mkdir -p /run/netns
    ln -s /proc/1/ns/net $target
fi


ipd() { ip -n default "$@"; }
if $create; then
    ipnn() { ip -n $nn "$@"; }
else
    # we are already in the network namespace and it's unnamed.
    ipnn() { ip "$@"; }
fi
dexec() { ip netns exec default "$@"; }


# background: head -n1 is defensive. Not sure if there is some weird feature
# for 2 routes to be 0/0.
gateway_if=$(ipd route list exact 0/0 | head -n1| sed -r 's/.*\s(\S+)\s*$/\1/')
nat() { dexec iptables -t nat $1 POSTROUTING -o $gateway_if -j MASQUERADE \
              -m comment --comment "systemd network namespace nat"; }

find_network() {
    found=false
    existing=false
    ips="$(ipd addr show | awk '$1 == "inet" {print $2}')"
    for ((i=0; i <= 254; i++)); do
        network=$ip_base.$i
        if printf "%s\n" "$ips" | grep "^${network//./\\.}" >/dev/null; then
            existing=true
        else
            found=true
            break
        fi
    done
}

start() {
    find_network
    if ! $found; then
        echo "$0: error: no open network found"
        exit 1
    fi

    #### begin mount namespace setup ####
    mkdir -p /root/mount_namespaces
    if ! mountpoint /root/mount_namespaces >/dev/null; then
        mount --bind /root/mount_namespaces /root/mount_namespaces
        mount --make-private /root/mount_namespaces
    fi
    if [[ ! -e /root/mount_namespaces/$nn ]]; then
        touch /root/mount_namespaces/$nn
    fi
    if ! mountpoint /root/mount_namespaces/$nn >/dev/null; then
        unshare --mount=/root/mount_namespaces/$nn
    fi
    ####   end mount namespace setup ####


    if $create; then
        ip netns add $nn
        ip -n $nn link set dev lo up
    fi

    echo 1 | dexec dd of=/proc/sys/net/ipv4/ip_forward 2>/dev/null

    _errcatch_cleanup=stop
    ipnn link add $v0 type veth peer name $v1
    ipnn link set $v0 netns default
    ipd addr add $network.1/24 dev $v0
    ipd link set $v0 up
    nat -C &>/dev/null || nat -A
    ipnn addr add $network.2/24 dev $v1
    ipnn link set $v1 up
    ipnn route add default via $network.1

}

stop() {
    if ipd link list $v0 &>/dev/null; then
        # this also deletes $v1 and the route we added.
        ipd link del $v0
    fi
    find_network
    if ! $existing; then
        if nat -C &>/dev/null; then nat -D; fi
    fi
    if $create; then
        ip netns del $nn
    fi
    if mountpoint /root/mount_namespaces/$nn >/dev/null; then
        umount /root/mount_namespaces/$nn
    fi
}

case $action in
    start|stop)
        $action
        ;;
    *)
        echo "$0: error: unsupported action"
        exit 1
        ;;
esac