Introduced named network namespace for replayshell #106
Conversation
this allows the creation of a a custom resolv.conf which is independent of the mahimahi host resolv.conf
| snprintf(etc_name, sizeof(etc_name), "/etc/%s", entry->d_name); | ||
|
|
||
| if ( umount( etc_name ) < 0 ) { | ||
| throw runtime_error( string("Unmounting... ") + netns_name + " -> " + etc_name + " failed: " + strerror(errno) + "\n" ); |
There was a problem hiding this comment.
This line causes the compile to fail on g++ 6.2. (Can't throw from a destructor.)
network_namespace.cc: In destructor ‘NetworkNamespace::~NetworkNamespace()’: network_namespace.cc:55:135: error: throw will always call terminate() [-Werror=terminate] . ") + netns_name + " -> " + etc_name + " failed: " + strerror(errno) + "\n" ); ^ network_namespace.cc:55:135: note: in C++11 destructors default to noexcept
| const string netns_dir = NETNS_ETC_DIR + "/" + name_; | ||
| const string resolvconf_path = netns_dir + "/resolv.conf"; | ||
|
|
||
| SystemCall("mkdir", mkdir( netns_dir.c_str() , S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH) ); |
There was a problem hiding this comment.
This fails for me on a default Ubuntu 16.10 installation (there's no NETNS_ETC_DIR, aka /etc/netns, so the mkdir fails). We might need more like a mkdir -p, except how do you safely clean that up at the end of the program?
There was a problem hiding this comment.
For applications that are aware of network namespaces, the convention
is to look for global network configuration files first in
/etc/netns/NAME/ then in /etc/. For example, if you want a different
version of /etc/resolv.conf for a network namespace used to isolate
your vpn you would name it /etc/netns/myvpn/resolv.conf.
http://man7.org/linux/man-pages/man8/ip-netns.8.html
My bad. It isn't there on Ubuntu 16.04 per default as well. I guess i must have created the /etc/netns folder manually during working on an earlier prototype.
However, the way the code works right now i guess it does not matter where the resolv.conf resides as long as we can mount it later. So the question is adopt that naming pattern from the manpage or create a temporary directory?
There was a problem hiding this comment.
I think a tempfile is fine -- as I said on the other thread, I don't know of any "applications that are aware of network namespaces." glibc's resolver doesn't seem to know about this, and that's what most applications use. If we're going to use a bind mount (and a mount namespace) to replace resolv.conf inside the container, then I don't think this convention matters -- we could put it anywhere that can be reliably cleaned up at exit (normal or abnormal).
|
Unfortunately this code doesn't seem to be working as intended. It does create a new "mount" namespace (not just a "network" namespace), and then creates a bind mount over /etc/resolv.conf (or whatever that link points to) with a replacement resolv.conf. But when I run it on Ubuntu 16.10, that replacement resolv.conf is visible systemwide and is not confined to the child of the Also, some of the mounts seem to be lingering around even after program termination (just check I think if we're going to adopt something this dramatic (i.e. changing the mahimahi shells to each create both a "network" namespace and a "mount" namespace so we can rewrite resolv.conf), it would need to:
|
still lacks proper raii cleanup for namespace
|
@keithw Can you check whether the latest commit works for you on a functional level? Then i can start thinking about RAII. I got rid of the named namespace idea and changed the order in which the network namespace and then the bind namespace are created. |
|
It's a lot better in that it's no longer affecting the global namespace, but unfortunately it still doesn't seem to actually work for me on Ubuntu 16.10. The permissions on /run/resolvconf/resolv.conf are: |
|
Changed the permission of the tempfile to 644. |
this allows the creation of a a custom resolv.conf
which is independent of the mahimahi host resolv.conf, fixes #105