jamal <hadi@xxxxxxxxxx> writes:
> On Mon, 2010-02-22 at 12:46 -0800, Eric W. Biederman wrote:
>> jamal <hadi@xxxxxxxxxx> writes:
>
>>
>> This is one of the long standing issues that we have always known
>> we needed to solve, but have not taken the time to do it. Now that
>> the need is more real it looks about time to solve this one.
>>
>> There are currently two problems.
>> 1) A process is needed to hold a reference to the network namespace.
>> 2) We use pids which are an awkward way of talking about network
>> namespaces.
>>
>> The solution I have been playing with involves.
>> - Using a file descriptor to refer to a network namespace.
>> - Using a trivial virtual filesystem to persistently hold onto
>> a namespace without the need of a process.
>> - Have a convention of mounting the fs at something like
>> /var/run/netns/<name>
>>
>
> I didnt quiet follow how i could use the above to do:
> "ip ns <name/id> route add blah" from namespace0.
>
> I tend to think in packets and wires instead of files;
> How about just allowing a "control" channel from which
> i could discover the namespace?
> Example, assuming i have the right permissions:
> 1) listen to async events example on a multicast bus when
> a namespace is created or destroyed. Provide me a little more info on
> the created namespace such as its pid, name(?), types of namespace, etc
> 2) send a query to dump existing namespace or query by name, id etc.
> I get the same details as above.
>
> using genetlink should provide you with sufficient ability to do this.
What I am thinking is:
"ip ns <name> route add blah" is:
fd = open("/var/run/netns/<name>");
sys_setns(fd); /* Like unshare but takes an existing namespace */
/* Then the rest of the existing ip command */
"ip ns list" is:
dfd = open("/var/run/netns", O_DIRECTORY);
getdents(dfd, buf, count);
"ip ns new <name>" is:
unshare(CLONE_NEWNS);
fd = nsfd(NETNS);
mkdir("/var/run/netns/<name>");
mount("none", "/var/run/netns/<name>", "ns", 0, fd);
Using unix domain names means that which namespaces you see is under
control of userspace. Which allows for nested containers (something I
use today), and ultimately container migration.
Using genetlink userspace doesn't result in a nestable implementation
unless I introduce yet another namespace, ugh.
Eric
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
