iankelling.org
/
git
/
newns
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (from parent 1:
914cdb7
)
even better documentation
author
Ian Kelling
<ian@iankelling.org>
Thu, 19 Jan 2017 10:30:46 +0000
(
02:30
-0800)
committer
Ian Kelling
<ian@iankelling.org>
Thu, 19 Jan 2017 10:30:46 +0000
(
02:30
-0800)
newns
patch
|
blob
|
history
diff --git
a/newns
b/newns
index 31f1b528c80bdab325c17631adf5c6245c745895..d6a1b08eb6bc7805cb5d3fadcc7f50b591b29ef2 100755
(executable)
--- a/
newns
+++ b/
newns
@@
-37,7
+37,7
@@
fi
usage() {
cat <<EOF
usage() {
cat <<EOF
-usage: ${0##*/} [OPTS] start|stop N
ETN
S_NAME
+usage: ${0##*/} [OPTS] start|stop NS_NAME
Setup new or systemd created network namespace with nat and mount namespace
-c, --create Create network namespace. For running outside systemd private net.
Setup new or systemd created network namespace with nat and mount namespace
-c, --create Create network namespace. For running outside systemd private net.
@@
-54,7
+54,7
@@
Also create a named mount namespace under /root/mount_namespaces, so we
can alter some system config for this namespace. Subsequent systemd
command lines would be prefixed with:
can alter some system config for this namespace. Subsequent systemd
command lines would be prefixed with:
-/usr/bin/nsenter --mount=/root/mount_namespaces/N
ETN
S_NAME
+/usr/bin/nsenter --mount=/root/mount_namespaces/NS_NAME
Note, this means that they can't run as unpriveledged users, but once
systemd 233 comes out, it will have a bind mount option from within unit
Note, this means that they can't run as unpriveledged users, but once
systemd 233 comes out, it will have a bind mount option from within unit
@@
-69,7
+69,7
@@
in a directory adjacent to the absolute, resolved directory this file is
in.
Background: "ip netns new ..." also does a mount namespace, then bind
in.
Background: "ip netns new ..." also does a mount namespace, then bind
-mounts each file/dir in /etc/netns/N
ETNS_NAME to /etc/NET
NS_NAME. Note,
+mounts each file/dir in /etc/netns/N
S_NAME to /etc/
NS_NAME. Note,
for openvpn having it's own resolv.conf by using it's user script which
calls resolvconf, this doesn't help much. What we actually want to do is
copy /run/resolvconf somehwere then bind mount it on top of
for openvpn having it's own resolv.conf by using it's user script which
calls resolvconf, this doesn't help much. What we actually want to do is
copy /run/resolvconf somehwere then bind mount it on top of
@@
-82,7
+82,7
@@
EOF
}
}
-##
begin arg parsing
##
+##
## begin arg parsing ##
##
create=false
temp=$(getopt -l help,create hc "$@") || usage 1
eval set -- "$temp"
create=false
temp=$(getopt -l help,create hc "$@") || usage 1
eval set -- "$temp"
@@
-99,11
+99,10
@@
if (( $# != 2 )); then
fi
action=$1
fi
action=$1
-nn=$2 # network namespace / namespace name
-## end arg parsing ##
-
-## begin sanity checking ##
+nn=$2 # namespace name
+#### end arg parsing ####
+#### begin sanity checking ####
install_error=false
if ! type -p ip &>/dev/null; then
echo "please install the iproute2 package"
install_error=false
if ! type -p ip &>/dev/null; then
echo "please install the iproute2 package"
@@
-116,8
+115,7
@@
fi
if $install_error; then
exit 1
fi
if $install_error; then
exit 1
fi
-
-## end sanity checking ##
+#### end sanity checking ####
v0=veth0-$nn
v0=veth0-$nn
@@
-128,10
+126,10
@@
if ! $create && [[ $(readlink /proc/self/ns/net) == "$(readlink /proc/1/ns/net)"
create=true
fi
create=true
fi
+# make the default network namespace be named
target=/run/netns/default
if [[ ! -e $target && ! -L $target ]]; then
mkdir -p /run/netns
target=/run/netns/default
if [[ ! -e $target && ! -L $target ]]; then
mkdir -p /run/netns
- # make the default network namespace be named
ln -s /proc/1/ns/net $target
fi
ln -s /proc/1/ns/net $target
fi
@@
-146,7
+144,7
@@
fi
dexec() { ip netns exec default "$@"; }
dexec() { ip netns exec default "$@"; }
-# head -n1 is defensive. Not sure if there is some weird feature
+#
background:
head -n1 is defensive. Not sure if there is some weird feature
# for 2 routes to be 0/0.
gateway_if=$(ipd route list exact 0/0 | head -n1| sed -r 's/.*\s(\S+)\s*$/\1/')
nat() { dexec iptables -t nat $1 POSTROUTING -o $gateway_if -j MASQUERADE \
# for 2 routes to be 0/0.
gateway_if=$(ipd route list exact 0/0 | head -n1| sed -r 's/.*\s(\S+)\s*$/\1/')
nat() { dexec iptables -t nat $1 POSTROUTING -o $gateway_if -j MASQUERADE \
@@
-168,13
+166,13
@@
find_network() {
}
start() {
}
start() {
-
find_network
if ! $found; then
echo "$0: error: no open network found"
exit 1
fi
find_network
if ! $found; then
echo "$0: error: no open network found"
exit 1
fi
+ #### begin mount namespace setup ####
mkdir -p /root/mount_namespaces
if ! mountpoint /root/mount_namespaces >/dev/null; then
mount --bind /root/mount_namespaces /root/mount_namespaces
mkdir -p /root/mount_namespaces
if ! mountpoint /root/mount_namespaces >/dev/null; then
mount --bind /root/mount_namespaces /root/mount_namespaces
@@
-186,6
+184,7
@@
start() {
if ! mountpoint /root/mount_namespaces/$nn >/dev/null; then
unshare --mount=/root/mount_namespaces/$nn
fi
if ! mountpoint /root/mount_namespaces/$nn >/dev/null; then
unshare --mount=/root/mount_namespaces/$nn
fi
+ #### end mount namespace setup ####
if $create; then
if $create; then
@@
-193,8
+192,6
@@
start() {
ip -n $nn link set dev lo up
fi
ip -n $nn link set dev lo up
fi
-
-
echo 1 | dexec dd of=/proc/sys/net/ipv4/ip_forward 2>/dev/null
_errcatch_cleanup=stop
echo 1 | dexec dd of=/proc/sys/net/ipv4/ip_forward 2>/dev/null
_errcatch_cleanup=stop