[lxc-devel] per-session network namespace question

[Wilhelm Meier]

Hi,

Daniel Lezcano schrieb:
> Wilhelm Meier wrote:
> 
> [ ... ]
>>> Be aware the network namespace isolates af_unix socket 
>>
>> Does this mean that a process in the new network namespace can't 
>> reach/connect a socket that was created in another namespace but 
>> visible in the filesystem. An important example would be the 
>> dbus-socket in /var/run/dbus for the system-dbus instance.
> Yes, that's correct but if you create the socket and connect before 
> unsharing the network namespace, you can use the file descriptor in the 
> new network namespace without problem, that was taken into account in 
> the design.

the af_unix isolation causes some problems ... let me explain: so far 
I've hacked a pma-module (pam-netns) to setup a new network namespace on 
login per user-session. This works well with all sorts of logins except 
kdm, since the processes kdm forks after the pam-stack executed (that is 
after the unshare()) need to connect to the X-server via the socket 
/tmp/.X11-unix/X0, what obviously doesn't work anymore.
A solution to this problem could be modifying the kde-init-scripts to 
connect to the local display via tcp (same thing for the system-dbus 
connection).
But what I don't understand: why are the sockets still visible in the 
filesystem after the unshare() even if they belong to another 
net-namespace? It would be more natural to me to make them unvisible in 
this case or - and i would prefer that - to exclude them from network 
isolation.
So, my question is: can one switch off af_unix isolation?

>> If this is the case is there a way to circumvent the problem (for 
>> dbus: afaik one can create an additional dbus listen address, so it 
>> should be possible to setup a tcp-listen-address on the vethx 
>> interface in the root network-namespace)
> Yes, that should work.
> 
> 
> Thanks
>  -- Daniel

-- 
Wilhelm