[lxc-users] Difference in using network namespace via ip command and lxc
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Jun 27 17:19:00 UTC 2014
Quoting Ajith Adapa (ajith.adapa at gmail.com):
> Hi,
>
> I am quite new to network namespaces and just making my hands dirty
> using ip command to create network namespaces.
>
> As per the man page for ip command
>
> " By convention a named network namespace is an object at
> /var/run/netns/NAME that can be opened. The file descriptor
> resulting from opening /var/run/netns/NAME refers to the specified
> network namespace. Holding that file descriptor open keeps the
> network namespace alive. The file descriptor can be used with the
> setns(2) system call to change the network namespace associated with
> a task."
>
> But incase of lxc I am seeing that /var/run/netns is empty.
>
> Is there any difference in the behaviour of network namespace incase
> of lxc container ?
The convention is one used by /sbin/ip, not the kernel.
lxc indeed does not use /var/run/netns. When you use lxc-attach to enter
a container's netns, lxc goes straight to the /proc/pid/ns/net where pid
is the container init process' pid. /sbin/ip cannot count on a process
being around to pin the namespace, so it makes a bind mount of that file,
which pins it so that even if there are no tasks in the namespace, the
namespace is not released.
-serge
More information about the lxc-users
mailing list