[systemd-devel] .socket in a network namespace

[Alex Polvi]

On Sat, Jan 18, 2014 at 7:45 AM, Peeters Simon <peeters.simon at gmail.com> wrote:
> 2014/1/18 Alex Polvi <alex at polvi.net>:
>> Hello,
>>
>> Is there a way to have a .socket bind in a particular network
>> namespace? The use case is to have a container with isolated
>> networking be able to start a service, or tunnel to a remote service,
>> that exists outside the containers namespace.
>>
>> Thank you for any leads. I could not find anything related to this in
>> the documentation.
>>
>> Regards,
>>
>> -Alex
>
> just wondering, does "JoinsNamespaceOf=" work for this?
> If it doesn't can it be extended to support this situation?

Just tried it out, and it appears that it does not work for sockets.

$ cat test.service
[Service]
ExecStart=/usr/bin/sleep 30000
PrivateNetwork=true

$ cat join.service
[Service]
ExecStart=/usr/bin/sleep 3000

$ cat join.socket
[Unit]
JoinsNamespaceOf=test.service

[Socket]
ListenStream=8080

$ systemctl status join.socket
join.socket
   Loaded: loaded (/run/systemd/system/join.socket; static)
   Active: active (listening) since Sat 2014-01-18 19:10:58 UTC; 1min 46s ago
   Listen: [::]:8080 (Stream)

Jan 18 19:10:58 localhost systemd[1]: Starting join.socket.
Jan 18 19:10:58 localhost systemd[1]: Listening on join.socket.

$ systemctl status test.service
test.service
   Loaded: loaded (/run/systemd/system/test.service; static)
   Active: active (running) since Sat 2014-01-18 19:07:45 UTC; 5min ago
 Main PID: 567 (sleep)
   CGroup: /system.slice/test.service
           └─567 /usr/bin/sleep 30000

Jan 18 19:07:45 localhost systemd[1]: Started test.service.

The .socket is still bound on the general namespace

nsenter will join the network namespace of 567 (the sleep process with
PrivateNetworking)
$ sudo nsenter -t 567 -n -- netstat -lnt | grep 8080
$ netstat -lnt | grep 8080
tcp6       0      0 :::8080                 :::*                    LISTEN

The socket is still listening on the host networking.

-Alex