From 6b15ac48b3f675a208d18bb267b82305eb8c8457 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Thu, 23 May 2019 14:12:33 -0400 Subject: [PATCH] better docs and make err a hard dependency --- .gitignore | 1 + newns | 59 ++++++++++++++++++++++++++++++------------------------ 2 files changed, 34 insertions(+), 26 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..02b2e8d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +/err \ No newline at end of file diff --git a/newns b/newns index ad4c06c..a2d896d 100755 --- a/newns +++ b/newns @@ -16,23 +16,19 @@ [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" +tmp="$(readlink -f "${BASH_SOURCE}")"; script_dir="${tmp%/*}" if [[ ! $ERRHANDLE_PATH ]]; then - ERRHANDLE_PATH=$(readlink -f "${BASH_SOURCE}") - ERRHANDLE_PATH=$(readlink -f ${ERRHANDLE_PATH%/*}/../errhandle) + ERRHANDLE_PATH="$script_dir"/../errhandle/err fi -err_sourced=true -for p in $ERRHANDLE_PATH/{errcatch-function,bash-trace-function}; do - if [[ -e $p ]]; then - source $p - else - err_sourced=false - fi -done -if $err_sourced; then - errcatch +if [[ -s $ERRHANDLE_PATH ]]; then + source $ERRHANDLE_PATH else - set -eE -o pipefail - trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR + cd "$script_dir" + if ! wget -O err 'https://iankelling.org/git/?p=errhandle;a=blob_plain;f=err;hb=HEAD'; then + echo "$0: failed to get errhandle dependency" >&2 + exit 1 + fi + source err fi usage() { @@ -50,12 +46,22 @@ Also creates a mount namespace with a cloned /run/resolvconf. the first unused one starting at 10.173.1 -h, --help Show this help and exit. -From within a systemd network namespace, nat it to the outside. This +From a normal shell: + +If we do create the netns, to join it with a shell, we can do +/usr/bin/nsenter --mount=/root/mount_namespaces/NAME --net=/var/run/netns/NAME bash + +If you dont care about the mount namespace, you can leave that option off. + + +For systemd: + +From within a systemd network namespace, we nat it to the outside. This would be called from ExecStartPre, and or subsequent units called with JoinsNamespaceOf= and PrivateNetwork=true. -Also create a named mount namespace under /root/mount_namespaces, so we -can alter some system config for this namespace. Subsequent systemd +We also create a named mount namespace under /root/mount_namespaces, so we +can alter some system config for this namespace. systemd command lines would be prefixed with: /usr/bin/nsenter --mount=/root/mount_namespaces/NS_NAME @@ -66,13 +72,16 @@ files, so the mount namespace won't be needed for most use cases, and I will update the script to that the mount namespace not created unless a flag is passed in. Patch welcome to add that flag before then. -A recommmended dependency of this script is my other repo named "errhandle", -which prints stack trace on error, and calls a cleanup function: -https://iankelling.org/git/?p=errhandle, set ERRHANDLE_PATH, or put it -in a directory adjacent to the absolute, resolved directory this file is -in. +This script has a dependency which you can download manually or it +will be automatically downloaded into the same directory. +It handles errors by printing stack trace and and cleaning up the namespaces. +To download manually, +git clone https://iankelling.org/git/errhandle +into an adjacent directory, or +export ERRHANDLE_PATH to point to the 'err' file in that repo. + -Background: +Background on this project (you can skip if you like): If we aren't creating a named network namespace, to join the namespace with a shell, I use: @@ -81,9 +90,6 @@ nsenter -n -m -t \$(pgrep PROCESS_IN_NAMESPACE) bash Note: if I knew how to easily ask systemd what pid a unit has, i would do that. -If we do create the netns, to join it with a shell, we can do -/usr/bin/nsenter --mount=/root/mount_namespaces/NAME --net=/var/run/netns/NAME bash - "ip netns new ..." also does a mount namespace, then bind mounts each file/dir in /etc/netns/NS_NAME to /etc/NS_NAME. Note, for openvpn having it's own resolv.conf by using it's user script which @@ -91,6 +97,7 @@ calls resolvconf, this doesn't help much. What we actually want to do is copy /run/resolvconf somehwere then bind mount it on top of /run/resolvconf. + Note: for debugging, adding set -x is a pretty good option. Please email me if you have a patches, bugs, feedback, or republish this -- 2.30.2