--On 25 April 2011 09:12:28 -0500 Serge Hallyn <serge.hallyn@xxxxxxxxxxxxx> wrote: > Nope, while there have been discussions about the right thing to do, > last I knew unix domain sockets were completely tied to the network > namespace. OK > Sockets, like file descriptors, persist as handles in the namespace > in which they were created. ... > Likewise, if you connect a socket before CLONE_NEWNET, then you > can continue to use it after CLONE_NEWNET. This is by design. A > server can (and some do) create hunderds of thousands of network > namespaces, creating one connected socket in each, with no other > handle to that ns left other than that socket. Ah, so the socket persists because of the FD despite its namespace being unshared, simply because the listen fd persists across the unshare(); I can thus accept() on a listening socket which is in another namespace, and generate an fd that works just fine. This what I missed. It is useful behaviour. Thanks. -- Alex Bligh _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
