[lxc-users] Difference in using network namespace via ip command and lxc

Serge Hallyn serge.hallyn at ubuntu.com
Mon Jun 30 13:01:28 UTC 2014 

Noone can, and /sbin/ip doesn't either.   A new net ns is created by
cloning a new task with the new ns.  The correct question would be can
you not keep a namespace around without a process - and yes, you can
do it the exact same way that /sbin/ip does.  Get the container's
init task pid, call it $inipid, mkdir /tmp/lxc/netns, touch
/tmp/lxc/netns/$container, and do
mount --bind /proc/$initpid/ns/net /tmp/lxc/netns/$container
Now when the container exits, the netns will stick around.

-serge

Quoting Ajith Adapa (ajith.adapa at gmail.com):
> Thanks @serge for the reply.
> 
> So we cannot create a namespace without binding it to a process then ?
> 
> On Fri, Jun 27, 2014 at 10:49 PM, Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > Quoting Ajith Adapa (ajith.adapa at gmail.com):
> >> Hi,
> >>
> >> I am quite new to network namespaces and just making my hands dirty
> >> using ip command to create network namespaces.
> >>
> >> As per the man page for ip command
> >>
> >> "       By convention a named network namespace is an object at
> >>        /var/run/netns/NAME that can be opened.  The file descriptor
> >>        resulting from opening /var/run/netns/NAME refers to the specified
> >>        network namespace.  Holding that file descriptor open keeps the
> >>        network namespace alive.  The file descriptor can be used with the
> >>        setns(2) system call to change the network namespace associated with
> >>        a task."
> >>
> >> But incase of lxc I am seeing that /var/run/netns is empty.
> >>
> >> Is there any difference in the behaviour of network namespace incase
> >> of lxc container ?
> >
> > The convention is one used by /sbin/ip, not the kernel.
> >
> > lxc indeed does not use /var/run/netns.  When you use lxc-attach to enter
> > a container's netns, lxc goes straight to the /proc/pid/ns/net where pid
> > is the container init process' pid.  /sbin/ip cannot count on a process
> > being around to pin the namespace, so it makes a bind mount of that file,
> > which pins it so that even if there are no tasks in the namespace, the
> > namespace is not released.
> >
> > -serge
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list