-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/etc/netns/<namespace-name> are not actually used #9
Comments
Maybe we can do something with
That at least avoids needing (This does require knowing what in |
All that said, I've been setting up a new server, and I'm considering dropping this configuration for something built around wg-netns. It even provides a templated systemd service to build namespaces — sort of what I was trying to describe in this comment. I think this would simplify a lot of things. For instance, we could potentially implement onion routing using something like the following systemd units (assuming wg-netns configurations for vpn1, vpn2, and vpn3 exist):
|
I definitely think Only issue is that the drop ins would also be required to retain the list of bind mounts, which somewhat gets us back to where we were. And that aside On the other hand though I don't think we need the general case anyway most likely. About the idea with wg-netns, if that works the way you describe that would definitely be much neater in general. Internally it uses For now I'm running my current setup pretty happily, I might take a look at this again in a few weeks though. |
I'm glad you've got something that's working for you. 👍 |
After trying a few different approaches I found a setup I like, which as it turns out uses exactly the settings you discussed in this thread, wg-netns, NetworkNamespacePath, and a bind mount. I wrote up my set up at https://github.com/existentialtype/deluge-namespaced-wireguard in case you find it helpful. I'm also using systemd-socket-proxyd instead of either veth tunnel or socat forwarder. |
I've been working on something similar(integrated solution for deploying all this into a flatcar VM via Ansible), just using rootless podman to deploy the services which plays much more nicely than docker with custom namespaces. I wasn't familiar with the systemd-socket-proxy, I've been NATting stuff that needs to go into the namespace with veth tunnels and iptables. This is probably a simpler option, even if it requires an additional process. |
Exactly. I think systemd-socket-proxyd is a good balance between simplicity and runtime processes. The veth tunnel has the cleanest runtime with no extra processes, but is more complicated to set up than the other two approaches. On the other side, socat is probably the easiest to set up, but when connections are open it runs at least two processes, one in the root namespace and one in the protected namespace. And since it uses a forking model it can spawn even more processes if there are multiple connections. systemd-socket-proxyd is in the middle. It runs at most 1 process, in the protected namespace, since systemd itself takes of the socket in the root namespace. And since it uses an event worker model, it runs the single process for up to hundreds of connections. And with socket activation and idle termination it only runs the process if there are active connections. But it does require two systemd unit files to set up. |
Well, this is sort of a critical bug that leads to failures of DNS resolution(luckily due to the isolated nature of namespaces, it does not actually leak anything).
So basically, it turns out that "nsswitch.conf" and "resolv.conf" are only really used by iproute2's ip-netns, but aren't actually all that directly connected to the namespace itself. Instead ip-netns manually creates a mount namespace and mounts the files there, see here. That means when only joining the namespace of an existing systemd process, these rules are not honored.
Now, it would be possible to emulate this behavior by creating a mount namespace for ip-netns where correct mounts are applied. However the issue is that JoinsNamespaceOf explicitly does not support mount namespaces.
So basically that leaves only one option: Drop the systemd "JoinsNamespaceOf" entirely and just revert back to using simple ip netns exec. Given that DNS resolution breaks horribly without this, I would consider this necessary. This also allows getting rid of some of the less pretty hacks with remounting the network namespace.
The text was updated successfully, but these errors were encountered: