[systemd-devel] .socket in a network namespace

[Lennart Poettering]

On Fri, 17.01.14 17:11, Alex Polvi (alex at polvi.net) wrote:

> Hello,
> 
> Is there a way to have a .socket bind in a particular network
> namespace? The use case is to have a container with isolated
> networking be able to start a service, or tunnel to a remote service,
> that exists outside the containers namespace.
> 
> Thank you for any leads. I could not find anything related to this in
> the documentation.

This is currently not available, and not easy to do, since for creating
and binding the sockets in the right namespace we'd have to change the
namespace first. Doing this for the whole of PID 1 is however something
I really would hate. So the other option is to fork a tiny process off,
that joins the namespace, creates/binds the sockets and passes the fd
back to PID 1 via SCM_RIGHTS. Not pretty, but certainly doable, and we
in fact do something similar in libsystem-bus in order to be able to
connect to container busses from outside of them, which also requires
doing a namespace transition.

There has been a long standing TODO list item, that could also benefit
from a scheme like this: it has been requested that AF_UNIX sockets
created via .socket units could get a specific UID/GID assigned
(i.e. chown() and chgrp() run on them). This, however, is hard to do
from PID 1, since we cannot allow doing NSS calls from PID 1, for
resolving those names. Such a forked off mini process that does NSS and
joins a specific namespace could work for this however.

So, when we fix one, we can certainly fix the other at the same
time. However, both of these issues are not trivial to do, so don't hold
your breath... ;-)

For now I have added this to the TODO list.

Lennart

-- 
Lennart Poettering, Red Hat