# limitations under the License.
-# Create a network namespace. Designed for use from systemd.
-
[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
-cd "${BASH_SOURCE%/*}"
-source ../errhandle/errcatch-function
-source ../errhandle/bash-trace-function
-errcatch
+if [[ ! $ERRHANDLE_PATH ]]; then
+ ERRHANDLE_PATH=$(readlink -f "${BASH_SOURCE}")
+ ERRHANDLE_PATH=$(readlink -f ${ERRHANDLE_PATH%/*}/../errhandle)
+fi
+err_sourced=true
+for p in $ERRHANDLE_PATH/{errcatch-function,bash-trace-function}; do
+ if [[ -e $p ]]; then
+ source $p
+ else
+ err_sourced=false
+ fi
+done
+if $err_sourced; then
+ errcatch
+else
+ set -eE -o pipefail
+ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+fi
+usage() {
+ cat <<EOF
+usage: ${0##*/} [OPTS] start|stop NS_NAME
+Nat a network namespace. create a mount ns. systemd friendly
+
+-c, --create Create a named network namespace. When running from
+ the same network namespace as pid 1, this is set automatically.
+ This is the case when running outside a systemd created
+ private network.
+-n NETWORK x.x.x /24 private network to use. If not specified, uses
+ the first one starting at 10.173.1
+-h, --help Show this help and exit.
+
+From within a systemd network namespace, nat it to the outside. This
+would be called from ExecStartPre, and or subsequent units called with
+JoinsNamespaceOf= and PrivateNetwork=true.
+
+Also create a named mount namespace under /root/mount_namespaces, so we
+can alter some system config for this namespace. Subsequent systemd
+command lines would be prefixed with:
+
+/usr/bin/nsenter --mount=/root/mount_namespaces/NS_NAME
+
+Note, this means that they can't run as unpriveledged users, but once
+systemd 233 comes out, it will have a bind mount option from within unit
+files, so the mount namespace won't be needed for most use cases, and I
+will update the script to that the mount namespace not created unless a
+flag is passed in. Patch welcome to add that flag before then.
+
+A recommmended dependency of this script is my other repo named "errhandle",
+which prints stack trace on error, and calls a cleanup function:
+https://iankelling.org/git/?p=errhandle, set ERRHANDLE_PATH, or put it
+in a directory adjacent to the absolute, resolved directory this file is
+in.
+
+Background:
+
+This script does not make the namespace be named like ip does, because
+the naming is not necessary, although it could have been done with some
+more work. For debugging and joining the namespace with a bash shell, I
+use nsenter -n -m -t \$(pgrep PROCESS_IN_NAMESPACE) bash. Note: if I
+knew how to easily ask systemd what pid a unit has, i would do that.
+
+"ip netns new ..." also does a mount namespace, then bind
+mounts each file/dir in /etc/netns/NS_NAME to /etc/NS_NAME. Note,
+for openvpn having it's own resolv.conf by using it's user script which
+calls resolvconf, this doesn't help much. What we actually want to do is
+copy /run/resolvconf somehwere then bind mount it on top of
+/run/resolvconf.
+
+Please email me if you have a patches, bugs, feedback, or republish this
+somewhere else: Ian Kelling <ian@iankelling.org>.
+EOF
+ exit ${1:-0}
+}
-## begin arg parsing ##
-action=$1
-nn=$2 # network namespace / namespace name
-## end arg parsing ##
-## begin sanity checking ##
+#### begin arg parsing ####
+create=false
+temp=$(getopt -l help,create hcn: "$@") || usage 1
+eval set -- "$temp"
+while true; do
+ case $1 in
+ -c|--create) create=true; shift ;;
+ -n) network=$2; shift 2 ;;
+ -h|--help) usage ;;
+ --) shift; break ;;
+ *) echo "$0: Internal error!" ; exit 1 ;;
+ esac
+done
+if (( $# != 2 )); then
+ usage 1
+fi
+action=$1
+nn=$2 # namespace name
+#### end arg parsing ####
+
+#### begin sanity checking ####
install_error=false
if ! type -p ip &>/dev/null; then
echo "please install the iproute2 package"
if $install_error; then
exit 1
fi
-
-## end sanity checking ##
+#### end sanity checking ####
v0=veth0-$nn
v1=veth1-$nn
ip_base=10.173
+if ! $create && [[ $(readlink /proc/self/ns/net) == "$(readlink /proc/1/ns/net)" ]]; then
+ create=true
+fi
+# make the default network namespace be named
target=/run/netns/default
if [[ ! -e $target && ! -L $target ]]; then
mkdir -p /run/netns
- # make the default network namespace be named
ln -s /proc/1/ns/net $target
fi
ipd() { ip -n default "$@"; }
+if $create; then
+ ipnn() { ip -n $nn "$@"; }
+else
+ # we are already in the network namespace and it's unnamed.
+ ipnn() { ip "$@"; }
+fi
dexec() { ip netns exec default "$@"; }
-# note: this script could be easily adapted to create a
-# netns instead of using the systemd created one.
-# ip netns add NAME
-# ip -n NAME link set dev lo up
-
-# random note, ip netns exec creates a mount namespace and
-# remaps /etc to /etc/netns/NAME.
-# head -n1 is defensive. I don't know if it's possible to have more
-# than one default route.
-gateway_if=$(ipd route list exact 0/0 | head -n1| sed -r 's/.*\s(\S+)\s*$/\1/')
+# background: head -n1 is defensive. Not sure if there is some weird feature
+# for 2 routes to be 0/0.
+gateway_if=$(ipd route list exact 0/0 | head -n1| sed -r 's/.*dev\s+(\S+).*/\1/')
nat() { dexec iptables -t nat $1 POSTROUTING -o $gateway_if -j MASQUERADE \
-m comment --comment "systemd network namespace nat"; }
find_network() {
+ if [[ $network ]]; then
+ return
+ fi
found=false
existing=false
ips="$(ipd addr show | awk '$1 == "inet" {print $2}')"
- for ((i=0; i <= 254; i++)); do
+ for ((i=1; i <= 254; i++)); do
network=$ip_base.$i
- if printf "%s\n" "$ips" | grep "^${network//./\\.}"; then
+ if printf "%s\n" "$ips" | grep "^${network//./\\.}" >/dev/null; then
existing=true
else
found=true
}
start() {
+ find_network
+ if ! $found; then
+ echo "$0: error: no open network found"
+ exit 1
+ fi
+ #### begin mount namespace setup ####
mkdir -p /root/mount_namespaces
if ! mountpoint /root/mount_namespaces >/dev/null; then
mount --bind /root/mount_namespaces /root/mount_namespaces
- mount --make-private /root/mount_namespaces
fi
+ # note: This is outside the mount condition because I've mysteriously
+ # had this become shared instead of private, perhaps it
+ # got remounted somehow and lost the setting.
+ mount --make-private /root/mount_namespaces
if [[ ! -e /root/mount_namespaces/$nn ]]; then
touch /root/mount_namespaces/$nn
fi
if ! mountpoint /root/mount_namespaces/$nn >/dev/null; then
- unshare --mount=/root/mount_namespaces/$nn
+ # documentation on propagation is a bit weird because it
+ # confusingly talks about binds, namespaces, and mirrors (which
+ # seems to be just another name for bind), shared subtrees
+ # (which seems to a term for binds and namespaces), and does not
+ # properly specify whether the documentation applies to binds,
+ # namespaces, or both. Notably, propagation for binds is marked
+ # on the original mount point, and propagation for a mount
+ # namespace is marked on mounts within the namespace. Here, we
+ # specify that we want mount changes propagated to us, but not
+ # back.
+ unshare --propagation slave --mount=/root/mount_namespaces/$nn
fi
+ #### end mount namespace setup ####
-
- find_network
- if ! $found; then
- echo "$0: error: no open network found"
- exit 1
+ if $create; then
+ ip netns add $nn
+ ip -n $nn link set dev lo up
fi
echo 1 | dexec dd of=/proc/sys/net/ipv4/ip_forward 2>/dev/null
_errcatch_cleanup=stop
- ip link add $v0 type veth peer name $v1
- ip link set $v0 netns default
+ ipnn link add $v0 type veth peer name $v1
+ ipnn link set $v0 netns default
ipd addr add $network.1/24 dev $v0
ipd link set $v0 up
nat -C &>/dev/null || nat -A
- ip addr add $network.2/24 dev $v1
- ip link set $v1 up
- ip route add default via $network.1
+ ipnn addr add $network.2/24 dev $v1
+ ipnn link set $v1 up
+ ipnn route add default via $network.1
}
if ! $existing; then
if nat -C &>/dev/null; then nat -D; fi
fi
+ if $create; then
+ ip netns del $nn
+ fi
+ if mountpoint /root/mount_namespaces/$nn >/dev/null; then
+ umount /root/mount_namespaces/$nn
+ fi
}
case $action in
iankelling.org / git / newns / blobdiff