[systemd-devel] .socket in a network namespace
Alex Polvi
alex at polvi.net
Fri Jan 24 10:37:05 PST 2014
On Fri, Jan 24, 2014 at 2:02 AM, Lennart Poettering
<lennart at poettering.net> wrote:
> On Thu, 23.01.14 11:27, David Timothy Strauss (david at davidstrauss.net) wrote:
>
>>
>> Has anyone looked at using socketat() for this? It's unclear whether
>> that syscall actually exists in any supported form; it's certainly not
>> documented.
>>
>> [1] http://lwn.net/Articles/407495/
>
> I don't think this has ever been merged.
We implemented socketat() in Go in our go-namespaces library:
https://github.com/coreos/go-namespaces/blob/master/net/net.go#L12
As for the rest of this feature, one other consideration is that we
would need the network namespace to be created and the related
.sockets to be bound to that namespace, before the process is
executed. We've prototyped this with iproute2 and nspawn, because
iproute2 has a clever little hack to be able to persist a network
namespace using a bind mount-- even if the original clone()'d process
has exited.
Check out the "ip netns" stuff on this blog post:
https://coreos.com/blog/jumpers-and-the-software-defined-localhost/
And, just for reference, here is the iproute2 code for creating
network namespaces:
https://git.kernel.org/cgit/linux/kernel/git/shemminger/iproute2.git/tree/ip/ipnetns.c#n386
-Alex
More information about the systemd-devel
mailing list