[systemd-devel] systemd-nspawn and process spawning using nsenter issue

[Richard Maw]

On Mon, Nov 02, 2015 at 09:27:42AM -0500, Aliaksei Sheshka wrote:
> Hello!
> 
> I have some systemd-nspawn and namespace related question.
> Assume following commands,
> 
> $ systemctl start c7-test #starring our container
> $ systemctl status c7-test #checking if it is running and looking for
> inside /usr/lib/systemd/systemd process
> $ nsenter -t 22333 -n /usr/local/sbin/custom-network-daemon  #starting
> our network daemon located on the host filesystem but withing
> container network namespace
> 
> I have a strong reason doing so, let say one need to modify clock on
> the host machine, while container provides very special routing table
> - it is oversimplification, but somewhat my use case.
> 
> My questions are
> a) Once container c7-test shut down using 'machinectl poweroff
> c7-test' how one can know what some processes are still running
> withing that network context?
> My  /usr/local/sbin/custom-network-daemon is perfectly running after
> c7-tets was shut down, which it obviously expected behavior.
> 
> b) Is there a generic method to list currently active namespaces?
> machinectl does not show as expected, since it's a machine lister and
> machine is not running.
> 'ip netns list' is not listing them either,

This is because `ip netns add` and the rest
work by bind-mounting the network namespace to a file.

Systemd does not do this when creating network namespaces,
since then the namespaces can be bound to the lifetime of the processes,
and you don't need an explicit namespace cleanup step.

However since you entered the namespace manually,
and your process is not in the cgroup of the container,
your network daemon process is neither managed by the nspawn cgroup,
nor any systemd running in the container,
so as far as systemd is concerned, it successfully shut it down.

> is there any other utility
> for that? If not is there a kernel interface to create one?

I don't know of any utilities, but /proc/$pid/ns/net is a symlink pointing
to a magic file that refers to the network namespace.

You could have a tool enumerate all your processes and stat the symlinks,
though it's a privileged operation to view someone else's namespaces
so you'd have to run the following with sudo:

    #!/usr/bin/python
    
    from collections import defaultdict
    from os import listdir, stat
    from os.path import join
    
    namespaces = defaultdict(set)
    
    for fn in listdir('/proc'):
        if all(c.isdigit() for c in fn):
            pid = int(fn)
            ino = stat(join('/proc', fn, 'ns', 'net')).st_ino
            namespaces[ino].add(pid)
    
    print("You have processes in %d namespaces" % len(namespaces))