How can I switch from a custom linux network namespace back to the default one?

Question

With ip netns exec you can execute a command in a custom network namespace - but is there also a way to execute a command in the default namespace?

For example, after executing these two commands:

sudo ip netns add test_ns
sudo ip netns exec test_ns bash

How can the newly created bash execute programs in the default network namespace? There is no ip netns exec default or anything similar as far as I've found.

My scenario is:

I want to run a SSH server in a separate network namespace (to keep the rest of the system unaware of the network connection, as the system is used for network testing), but want to be able to execute programs in the default network namespace via the SSH connection.

What I've found out so far:

Created network namespaces are listed as files under /var/run/netns (but there is no file for the default namespace)
The ip netns exec code can be found here: http://git.kernel.org/cgit/linux/kernel/git/shemminger/iproute2.git/tree/ip/ipnetns.c#n132 - I haven't grasped everything that it is doing yet, but it doesn't look very promising.
ip netns identify $$ as suggested by Howto query and change network namespace on linux? returns nothing when in the default network namespace

score 20 · Answer 1 · answered Sep 10 '14 at 17:39

20

I found that you can return to the default network namespace with two simple commands:

ln -s /proc/1/ns/net /var/run/netns/default
ip netns exec default ifconfig -a

This method obviously assumes that you can see processes outside your own namespace through the proc file system. If you are in a separate PID namespace as well, returning to the default namespace is not as simple.

The above commands were tested on Ubuntu 14.04. I don't know if there is anything distribution specific about the approach.

answered Sep 10 '14 at 17:39

kasperd

30,455
17
76
124

1

This is pretty novel! I would recommend actually doing `mount --bind` instead of `ln -s`, as it means the `ip` command can manage it too (ip basically does mount --bind against these namespace files to setup persistent namespaces). – Matthew Ife Sep 10 '14 at 18:58
@kasperd you say it's not as simple with a separate PID namespace. Is it actually still possible, though? Can you mention how? – copumpkin Aug 19 '15 at 02:21
@copumpkin I haven't tested that. – kasperd Aug 19 '15 at 04:37
@MatthewIfe I'm using `Oracle Linux 8.8` and when I execute `mount --bind /proc/1/ns/net /var/run/netns/default` I receive the error: `mount: /var/run/netns/default: el vínculo /proc/1/ns/net falló.` How do you do it? – elysch Jul 07 '23 at 00:05

score 15 · Accepted Answer · answered Sep 10 '14 at 18:50

Newer distros/kernels support the nsenter command which, should do what you want, providing you are root when you do it.

Here is an example (Fedora 20).

[root@home ~]# unshare -n /bin/bash
[root@home ~]# ip a l
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
[root@home ~]# ping google.com
ping: unknown host google.com
[root@home ~]# nsenter -t 1 -n -- ping -c 2 google.com
PING google.com (74.125.230.65) 56(84) bytes of data.
64 bytes from lhr14s23-in-f1.1e100.net (74.125.230.65): icmp_seq=1 ttl=56 time=14.2 ms
64 bytes from lhr14s23-in-f1.1e100.net (74.125.230.65): icmp_seq=2 ttl=56 time=15.0 ms

--- google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 14.239/14.621/15.003/0.382 ms
[root@home ~]# nsenter -t 1 -n -- ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: p4p1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 10:bf:48:88:50:ee brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.2/24 brd 192.168.1.255 scope global p4p1
       valid_lft forever preferred_lft forever
    inet6 fe80::12bf:48ff:fe88:50ee/64 scope link 
       valid_lft forever preferred_lft forever
[root@home ~]#

This relies on the setns system call. You need at least a 3.0 kernel and glibc-2.14 for this to work.

RHEL 6.5 provides support for persistent namespaces but not support for moving existing processes into new namespaces.

This works fine, execpt for the fact that Ubuntu provides an outdated util-linux package without nsenter. I found detailed build instructions here, however: http://askubuntu.com/questions/439056/why-there-is-no-nsenter-in-util-linux — Martin, Sep 15 '14 at 13:50
I tried `nsenter -t 1 -n` but it created a new process just as `ip netns exec` and didn't change the namespace of the current process. — Pavel Šimerda, Jan 07 '16 at 09:52

score 0 · Answer 3 · answered Sep 15 '19 at 09:34

nsenter -n -t <pid of a process running in the default ns>

You can get the pid form doing 'ps aux' or even a top if you wanted.

Personally I always ssh to the main namespace, then I can always get back to the default by typing exit and then re-entering the namespace if required.

score -1 · Answer 4 · answered Aug 04 '20 at 13:40

-1

As mentioned, root network namespace can be entered by nsenter --net --target=1. But in case you plan to use network namespaces unaware applications, it's necessary to switch also to root mount namespace, so it's better to use nsenter --net --mount --target=1.

answered Aug 04 '20 at 13:40

aver

1

-1, I don't think that the `nsenter --mount` option has anything to do with networking. If I'm mistaken, please clarify. – Sam Watkins Apr 04 '22 at 07:28

How can I switch from a custom linux network namespace back to the default one?

4 Answers4