On Fri, 17.01.14 17:11, Alex Polvi ([email protected]) wrote: > Hello, > > Is there a way to have a .socket bind in a particular network > namespace? The use case is to have a container with isolated > networking be able to start a service, or tunnel to a remote service, > that exists outside the containers namespace. > > Thank you for any leads. I could not find anything related to this in > the documentation.
This is currently not available, and not easy to do, since for creating and binding the sockets in the right namespace we'd have to change the namespace first. Doing this for the whole of PID 1 is however something I really would hate. So the other option is to fork a tiny process off, that joins the namespace, creates/binds the sockets and passes the fd back to PID 1 via SCM_RIGHTS. Not pretty, but certainly doable, and we in fact do something similar in libsystem-bus in order to be able to connect to container busses from outside of them, which also requires doing a namespace transition. There has been a long standing TODO list item, that could also benefit from a scheme like this: it has been requested that AF_UNIX sockets created via .socket units could get a specific UID/GID assigned (i.e. chown() and chgrp() run on them). This, however, is hard to do from PID 1, since we cannot allow doing NSS calls from PID 1, for resolving those names. Such a forked off mini process that does NSS and joins a specific namespace could work for this however. So, when we fix one, we can certainly fix the other at the same time. However, both of these issues are not trivial to do, so don't hold your breath... ;-) For now I have added this to the TODO list. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
