[lxc-devel] per-session network namespace question
Wilhelm Meier
wilhelm.meier at fh-kl.de
Thu Oct 29 19:16:33 UTC 2009
Hi,
Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
>
> [ ... ]
>>> Be aware the network namespace isolates af_unix socket
>>
>> Does this mean that a process in the new network namespace can't
>> reach/connect a socket that was created in another namespace but
>> visible in the filesystem. An important example would be the
>> dbus-socket in /var/run/dbus for the system-dbus instance.
> Yes, that's correct but if you create the socket and connect before
> unsharing the network namespace, you can use the file descriptor in the
> new network namespace without problem, that was taken into account in
> the design.
the af_unix isolation causes some problems ... let me explain: so far
I've hacked a pma-module (pam-netns) to setup a new network namespace on
login per user-session. This works well with all sorts of logins except
kdm, since the processes kdm forks after the pam-stack executed (that is
after the unshare()) need to connect to the X-server via the socket
/tmp/.X11-unix/X0, what obviously doesn't work anymore.
A solution to this problem could be modifying the kde-init-scripts to
connect to the local display via tcp (same thing for the system-dbus
connection).
But what I don't understand: why are the sockets still visible in the
filesystem after the unshare() even if they belong to another
net-namespace? It would be more natural to me to make them unvisible in
this case or - and i would prefer that - to exclude them from network
isolation.
So, my question is: can one switch off af_unix isolation?
>> If this is the case is there a way to circumvent the problem (for
>> dbus: afaik one can create an additional dbus listen address, so it
>> should be possible to setup a tcp-listen-address on the vethx
>> interface in the root network-namespace)
> Yes, that should work.
>
>
> Thanks
> -- Daniel
--
Wilhelm
More information about the lxc-devel
mailing list