delete the mount namespace on stop

[newns] / newns

#!/bin/bash
# Copyright (C) 2017 Ian Kelling

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

#     http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.


[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"

if [[ ! $ERRHANDLE_PATH ]]; then
    ERRHANDLE_PATH=$(readlink -f "${BASH_SOURCE}")
    ERRHANDLE_PATH=$(readlink -f ${ERRHANDLE_PATH%/*}/../errhandle)
fi
err_sourced=true
for p in $ERRHANDLE_PATH/{errcatch-function,bash-trace-function}; do
    if [[ -e $p ]]; then
        source $p
    else
        err_sourced=false
    fi
done
if $err_sourced; then
    errcatch
else
    set -eE -o pipefail
    trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
fi

usage() {
    cat <<EOF
usage: ${0##*/} [OPTS] start|stop NETNS_NAME
Setup new or systemd created network namespace with nat and mount namespace

-c, --create    Create network namespace. For running outside systemd private net.
-h, --help      Show this help and exit.

From within systemd network namespace, nat it to the outside.  If given
-c, or if in the default network namespace, create a named network
namepace natted to the current netns.

Also create a named mount namespace under /root/mount_namespaces, so we
can alter some system config for this namespace. Subsequent systemd
command lines would be prefixed with:

/usr/bin/nsenter --mount=/root/mount_namespaces/NETNS_NAME


"ip netns new ..." also does a mount namespace, then bind mounts each
thing in /etc/netns/NETNS_NAME to /etc/NETNS_NAME. Note, for openvpn having it's own
resolv.conf, this doesn't help much. What we actually want to do is copy
/run/resolvconf somehwere, then bind mount it on top of /run/resolvconf.

Once systemd 233 comes out, it will have a bind mount option from within
unit files, so the mount namespace won't be needed for this use case.

Recommmended dependency of errhandle to print stack trace on error:
https://iankelling.org/git/?p=errhandle, set ERRHANDLE_PATH, or put it
in a directory adjacent to the absolute, resolved directory this file is
in.

EOF
    exit ${1:-0}
}


## begin arg parsing ##
create=false
temp=$(getopt -l help,create hc "$@") || usage 1
eval set -- "$temp"
while true; do
    case $1 in
        -c|--create) create=true; shift ;;
        -h|--help) usage ;;
        --) shift; break ;;
        *) echo "$0: Internal error!" ; exit 1 ;;
    esac
done
if (( $# != 2 )); then
    usage 1
fi

action=$1
nn=$2 # network namespace / namespace name
## end arg parsing ##

## begin sanity checking ##

install_error=false
if ! type -p ip &>/dev/null; then
    echo "please install the iproute2 package"
    install_error=true
fi
if ! type -p iptables &>/dev/null; then
    echo "please install the iptables package"
    install_error=true
fi
if $install_error; then
    exit 1
fi

##   end sanity checking ##


v0=veth0-$nn
v1=veth1-$nn
ip_base=10.173

if ! $create && [[ $(readlink /proc/self/ns/net) == "$(readlink /proc/1/ns/net)" ]]; then
    create=true
fi

target=/run/netns/default
if [[ ! -e $target && ! -L $target ]]; then
    mkdir -p /run/netns
    # make the default network namespace be named
    ln -s /proc/1/ns/net $target
fi


ipd() { ip -n default "$@"; }
if $create; then
    ipnn() { ip -n $nn "$@"; }
else
    # we are already in the network namespace and it's unnamed.
    ipnn() { ip "$@"; }
fi
dexec() { ip netns exec default "$@"; }


# head -n1 is defensive. Not sure if there is some weird feature
# for 2 routes to be 0/0.
gateway_if=$(ipd route list exact 0/0 | head -n1| sed -r 's/.*\s(\S+)\s*$/\1/')
nat() { dexec iptables -t nat $1 POSTROUTING -o $gateway_if -j MASQUERADE \
              -m comment --comment "systemd network namespace nat"; }

find_network() {
    found=false
    existing=false
    ips="$(ipd addr show | awk '$1 == "inet" {print $2}')"
    for ((i=0; i <= 254; i++)); do
        network=$ip_base.$i
        if printf "%s\n" "$ips" | grep "^${network//./\\.}" >/dev/null; then
            existing=true
        else
            found=true
            break
        fi
    done
}

start() {

    find_network
    if ! $found; then
        echo "$0: error: no open network found"
        exit 1
    fi

    mkdir -p /root/mount_namespaces
    if ! mountpoint /root/mount_namespaces >/dev/null; then
        mount --bind /root/mount_namespaces /root/mount_namespaces
        mount --make-private /root/mount_namespaces
    fi
    if [[ ! -e /root/mount_namespaces/$nn ]]; then
        touch /root/mount_namespaces/$nn
    fi
    if ! mountpoint /root/mount_namespaces/$nn >/dev/null; then
        unshare --mount=/root/mount_namespaces/$nn
    fi


    if $create; then
        ip netns add $nn
        ip -n $nn link set dev lo up
    fi



    echo 1 | dexec dd of=/proc/sys/net/ipv4/ip_forward 2>/dev/null

    _errcatch_cleanup=stop
    ipnn link add $v0 type veth peer name $v1
    ipnn link set $v0 netns default
    ipd addr add $network.1/24 dev $v0
    ipd link set $v0 up
    nat -C &>/dev/null || nat -A
    ipnn addr add $network.2/24 dev $v1
    ipnn link set $v1 up
    ipnn route add default via $network.1

}

stop() {
    if ipd link list $v0 &>/dev/null; then
        # this also deletes $v1 and the route we added.
        ipd link del $v0
    fi
    find_network
    if ! $existing; then
        if nat -C &>/dev/null; then nat -D; fi
    fi
    if $create; then
        ip netns del $nn
    fi
    if mountpoint /root/mount_namespaces/$nn >/dev/null; then
        umount /root/mount_namespaces/$nn
    fi
}

case $action in
    start|stop)
        $action
        ;;
    *)
        echo "$0: error: unsupported action"
        exit 1
        ;;
esac