I want to launch a process using isolated namespaces for PID, UTS, IPC, and NET. However, inside the process, to setup the networking correctly, the network namespace has to be configured on the host with the veth adapters (so that they appear for the isolated process). So, I have the network setup using ip netns add vnet1. I want to use that network namespace for my process as well as give it PID isolation, etc. I know I can use ip nets exec to execute a process in that namespace, but I also want other namespace isolation. Is there a way to do that with unshare or do I need to take another approach?
Asked
Active
Viewed 914 times
4
200 not ok
- 134
- 10
mhaken
- 1,075
- 4
- 14
- 28
1 Answers
3
when you run ip netns add vnet1 it will create an object at /run/netns so in this case /run/netns/vnet1 will be created.
Now, when you unshare your program, you can specify path to an existing namespaces. So, maybe like this.
$ ip netns add vnet1
$ ls /run/netns/
vnet1
$ unshare --net=/run/netns/vnet1 --pid --uts --ipc --fork bash
$ ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
You can see that there is only lo and no other interfaces meaning that our bash process is now in vnet1 network namespaces.
200 not ok
- 134
- 10