This is probably a bit of a newbie question, but: I have a parent and a child process. The child does unshare(CLONE_NEWNET) after the fork(). It does not unshare the filings system namespace or anything else. I want the child to expose a unix domain socket, of type SOCK_STREAM. Both act as servers, i.e. they listen on the service, accept(), then handle the resultant connections. The socket needs to be accessed both by the parent and by other processes (preferably processes with both network namespaces, but primarily from the parent's). If I create and bind the socket in the child after the unshare(), then I cannot connect to it from the parent or processes sharing the parent namespace. This seems surprising, as the documentation for CLONE_NEWNET suggests only the networking space is separated, and that would not normally appear to include UNIX domain sockets (I would have thought they would be CLONE_NEWNS or CLONE_NEWIPC). If I'm wrong in this assumption, and CLONE_NEWNET should isolate unix domain sockets, something surprising still happens: if I create the listen socket before the CLONE_NEWNET, then everything works as intended, even though I am creating new fds via accept() after the unshare(), i.e. the unix domain socket space does not appear to be isolated. It appears to be working by doing: bind() listen() unshare() accept() but I don't understand why, or what the semantics are for interaction between unshare(CLONE_NEWNET) and unix domain sockets. Any ideas? -- Alex Bligh _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
