On Tue, 02 May 2023, Jeff Layton wrote: > On Tue, 2023-05-02 at 09:59 +0200, Petr Vorel wrote: > > > > Although there is suggestion, how to fix the problem in kernel [2]: > > > > > Maybe rpcb_create_local() shall detect that it is not in root > > > netns, and only try AF_INET connection to > localhost in that case. > > > > That would be simple and might be sensible. IF changing the AF_UNIX > > path to "/run/rpcbind.sock" isn't sufficient, then testing for the > > root_ns is probably the best second option. > > > > Was it determined that changing the location of the socket wasn't > sufficient to fix this? FWIW, My Fedora 38 machine seems to listen on > that socket already: > > [Socket] > ListenStream=/run/rpcbind.sock I think the best solution for this problem is to change the kernel to first try to send to an abstract socket: "\0/run/rpcbind.sock". Only if that fails do we try "/run/rpcbind.sock". We also change rpcbind to listen on both ListenStream=@/run/rpcbind.sock ListenStream=/run/rpcbind.sock Abstract sockets are local to a network namespace, while non-abstract Unix domain sockets are local to a file and so can only be local to a mount namespace. We clearly need rpcbind lookup from the kernel to be netns-local, so abstract is the obvious choice. NeilBrown
