Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754215Ab1EQLhN (ORCPT ); Tue, 17 May 2011 07:37:13 -0400 Received: from spaceboyz.net ([87.106.131.203]:47967 "EHLO spaceboyz.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754137Ab1EQLhK (ORCPT ); Tue, 17 May 2011 07:37:10 -0400 X-Greylist: delayed 1509 seconds by postgrey-1.27 at vger.kernel.org; Tue, 17 May 2011 07:37:09 EDT Date: Tue, 17 May 2011 13:11:48 +0200 From: David Lamparter To: "Eric W. Biederman" Cc: Alex Bligh , linux-arch@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Linux Containers , linux-fsdevel@vger.kernel.org Subject: Re: [PATCH 0/7] Network namespace manipulation with file descriptors Message-ID: <20110517111148.GA3762520@jupiter.n2.diac24.net> References: <3A54AB469A0294933EAC2257@nimrod.local> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2217 Lines: 57 On Sat, May 07, 2011 at 07:18:44AM -0700, Eric W. Biederman wrote: > You can read the processes network namespace by opening > /proc//ns/net. Unfortunately comparing the network > namespaces for identity is another matter. You will probably > be better off simply forcing the routing daemon to start > in the desired network namespace in it's initscript. > > For purposes of clarity please have a look at my work in > progress patch for iproute2. This demonstrates how I expect > userspace to work in a multi-network namespace world. > [...] > Subject: [PATCH] iproute2: Add processless netnwork namespace support. [...] > Configuration specific to a network namespace that > would ordinarily be stored under /etc/ is stored under > /etc/netns/. For example if the dns server > configuration is different for your vpn you would > create a file /etc/netns/myvpn/resolv.conf. > > File descriptors that can be used to manipulate a > network namespace can be created by opening > /var/run/netns/. > > This adds the following commands to iproute. > ip netns add NAME > ip netns delete NAME > ip netns monitor > ip netns list > ip netns exec NAME cmd .... > ip link set DEV netns NAME funny, this is almost exactly what my code does - though you're probably doing it better and have more features ;) http://git.spaceboyz.net/equinox/vrf-tools.git/ git://spaceboyz.net/equinox/vrf-tools.git It currently forks off a daemon to keep the namespace open; attaching is not possible yet, but opening a socket in a different namespace is. Most of the actual management (mounting things & co.) I offloaded to some shell scripts; I use it together with GNU screen (which makes it very nice to grab one of the namespaces and start/stop/manage/... things). I also have patches for OpenVPN and pptpd floating around that make it possible to 'cross' namespace boundaries, i.e. the VPN servers listen in one namespace and have their devices in another. -David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/