|Age||Commit message (Collapse)||Author|
As I noted back in f1f56a7ae6, I originally wrote the article on
assigning OpenVPN instances to network namespaces as a blog post. So now
that I've finally set up a blog and posted the article there, remove the
duplicate copy in this repository and provide links to the new post.
Honestly, because the article can stand on its own as a guide (i.e., it
doesn't require nsdo), it never belonged in the nsdo repository in the
first place. The only benefit I see is that GitHub has a much higher
PageRank than my blog does, meaning my blog will probably show up much
later (if at all) on Google search results. But oh well.
In 8326e8d3, I mistakenly modified README.md directly instead of
generating it by changing readme.head and running the Makefile. So copy
over my changes to readme.head.
Pass O_CLOEXEC to open() to prevent the exec()'d process from inheriting
the file descriptor of the netns in /var/run/netns.
Example of current leaky behavior:
$ nsdo foo ls -l /proc/self/fd/
lrwx------ 1 austin austin 64 Jul 29 20:44 0 -> /dev/pts/21
lrwx------ 1 austin austin 64 Jul 29 20:44 1 -> /dev/pts/21
lrwx------ 1 austin austin 64 Jul 29 20:44 2 -> /dev/pts/21
lr-x------ 1 austin austin 64 Jul 29 20:44 3 -> /run/netns/foo <-- !
lr-x------ 1 austin austin 64 Jul 29 20:44 4 -> /proc/12307/fd
Version 2.3.11 of the Arch openvpn package changed openvpn@.service by
limiting its capabilities to a set not including CAP_SYS_ADMIN, which
setns() requires. So update the unit pasted into the guide and add the
needed capability to the suggested drop-in unit.
I wanted to access a web application running in nsdo, but found that I
couldn't without running my browser in the same network namespace. As a
workaround, I set up veth and then added the steps I took to the OpenVPN
For printing the current version, nsdo now accepts --version/-V. I've
updated the manpage to reflect this.
also fixed a type in the manpage
1. don't accept empty namespace names. running setns(open("/run/netns"))
as root is probably harmless, but I'd like to avoid it.
2. if a namespace can't be open()ed, give the filename nsdo tried to
open. Then, maybe the user can try to find the file by hand.
nsdo now returns better error messages. For instance, if a stat() fails,
it gives the filename in the error message.
I've also tweaked my vpn suggestions to re-use the same network
namespaces across openvpn client restarts. Before, the network namespace
was added and removed in the vpn-ns script, but because that ran for
every start/stop of the openvpn client, sometimes the network namespace
in which an application was running would get 'stale.'
Specifically, if Firefox was running in my VPN's network namespace, but
I suspended my laptop, the vpn-ns script would create a new network
namespace when the computer came out of suspend and the openvpn client
started up again. So, /run/netns/vpn (for example) would point to
namespace 12345679, where openvpn was running, while firefox would be
running in namespace 12345678.
The fix -- to use a separate systemd service to create the namespaces --
just makes sense, and I should've done it this way in the first place.
I've been wanting to write a blog post about my use of Linux network
namespaces with openvpn for a while, but I still haven't bothered to
create a blog in the first place (...yep), so I thought this repository
might be a good place for a quick guide.
I hope it helps someone someday.