[systemd-devel] Run service in netns w/ interfaces
Ian Pilcher
arequipeno at gmail.com
Fri Jun 1 02:02:24 UTC 2018
I am setting up a fairly complex virtualized network environment, in
order to do some testing. As part of this, I need to run ISC dhcrelay
in a "vrouter" network namespace, into which I have moved a couple of
network interfaces (OVS ports).
I originally tried to do this with a single .service file, using
'ip netns ...' commands to do everything. Unfortunately, it turns out
that this doesn't work on CentOS 7, as it runs afoul of SELinux.
type=AVC msg=audit(1527809769.297:112): avc: denied { execute } for
pid=1439 comm="ip" name="dhcrelay" dev="dm-0" ino=134953194
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:dhcpd_exec_t:s0 tclass=file
Googling for a solution led me to this:
https://github.com/systemd/systemd/issues/2741#issuecomment-336736214
With some fixups (executable locations & %i/%I), I was able to come up
with a solution, but it requires 3 separate unit files. (I had to add
an additional service to actually move the OVS ports into the network
namespace.)
netns at .service:
---------------
[Unit]
Description=Named network namespace %i
StopWhenUnneeded=true
[Service]
Type=oneshot
RemainAfterExit=yes
# Ask systemd to create a network namespace
PrivateNetwork=yes
# Ask ip netns to create a named network namespace
# (This ensures that things like /var/run/netns are properly setup)
ExecStart=/sbin/ip netns add %i
# Drop the network namespace that ip netns just created
ExecStart=/bin/umount /var/run/netns/%i
# Re-use the same name for the network namespace that systemd put us in
ExecStart=/bin/mount --bind /proc/self/ns/net /var/run/netns/%i
# Clean up the name when we are done with the network namespace
ExecStop=/sbin/ip netns delete %i
osp-provisioning-interfaces.service:
------------------------------------
[Unit]
Requires=netns at osp-provisioning.service
After=netns at osp-provisioning.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/ip link set ovs1.19 netns osp-provisioning
ExecStart=/usr/sbin/ip link set ovs2.19 netns osp-provisioning
osp-provisioning-router.service:
--------------------------------
[Unit]
Description=vRouter and DHCP relay for OSP provisioning network
Wants=network-online.target
After=network-online.target
Requires=netns at osp-provisioning.service
After=netns at osp-provisioning.service
JoinsNamespaceOf=netns at osp-provisioning.service
Requires=osp-provisioning-interfaces.service
After=osp-provisioning-interfaces.service
[Service]
Type=simple
PrivateNetwork=yes
ExecStartPre=/usr/sbin/ifconfig ovs1.19 192.168.19.254/24
ExecStartPre=/usr/sbin/ifconfig ovs2.19 192.168.119.254/24
ExecStartPre=/usr/bin/bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
ExecStart=/usr/sbin/dhcrelay -d -i ovs2.19 192.168.19.1 192.168.19.101
[Install]
WantedBy=multi-user.target
Needless to say, this doesn't exactly feel elegant or efficient. Is
there a better way?
--
========================================================================
Ian Pilcher arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
More information about the systemd-devel
mailing list