From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nicolas Dichtel Subject: Re: [RFC PATCH net-next v2 0/5] netns: allow to identify peer netns Date: Wed, 24 Sep 2014 18:27:32 +0200 Message-ID: <5422F0F4.6000709@6wind.com> References: <1411478430-4989-1-git-send-email-nicolas.dichtel@6wind.com> <54228D87.3070309@6wind.com> Reply-To: nicolas.dichtel-pdR9zngts4EAvxtiuMwx3w@public.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8"; Format="flowed" Content-Transfer-Encoding: base64 Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Cong Wang Cc: netdev , containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Andy Lutomirski , Stephen Hemminger , "Eric W. Biederman" , linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Andrew Morton , David Miller List-Id: containers.vger.kernel.org TGUgMjQvMDkvMjAxNCAxODowMSwgQ29uZyBXYW5nIGEgw6ljcml0IDoKPiBPbiBXZWQsIFNlcCAy NCwgMjAxNCBhdCAyOjIzIEFNLCBOaWNvbGFzIERpY2h0ZWwKPiA8bmljb2xhcy5kaWNodGVsQDZ3 aW5kLmNvbT4gd3JvdGU6Cj4+IExlIDIzLzA5LzIwMTQgMjE6MjIsIENvbmcgV2FuZyBhIMOpY3Jp dCA6Cj4+Cj4+PiBPbiBUdWUsIFNlcCAyMywgMjAxNCBhdCA2OjIwIEFNLCBOaWNvbGFzIERpY2h0 ZWwKPj4+IDxuaWNvbGFzLmRpY2h0ZWxANndpbmQuY29tPiB3cm90ZToKPj4+Pgo+Pj4+Cj4+Pj4g SGVyZSBpcyBhIHNtYWxsIHNjcmVlbnNob3QgdG8gc2hvdyBob3cgaXQgY2FuIGJlIHVzZWQgYnkg dXNlcmxhbmQ6Cj4+Pj4gJCBpcCBuZXRucyBhZGQgZm9vCj4+Pj4gJCBpcCBuZXRucyBkZWwgZm9v Cj4+Pj4gJCBpcCBuZXRucwo+Pj4+ICQgdG91Y2ggL3Zhci9ydW4vbmV0bnMvaW5pdF9uZXQKPj4+ PiAkIG1vdW50IC0tYmluZCAvcHJvYy8xL25zL25ldCAvdmFyL3J1bi9uZXRucy9pbml0X25ldAo+ Pj4+ICQgaXAgbmV0bnMgYWRkIGZvbwo+Pj4+ICQgaXAgbmV0bnMKPj4+PiBmb28gKGlkOiAzKQo+ Pj4+IGluaXRfbmV0IChpZDogMSkKPj4+PiAkIGlwIG5ldG5zIGV4ZWMgZm9vIGlwIG5ldG5zCj4+ Pj4gZm9vIChpZDogMykKPj4+PiBpbml0X25ldCAoaWQ6IDEpCj4+Pj4gJCBpcCBuZXRucyBleGVj IGZvbyBpcCBsaW5rIGFkZCBpcGlwMSBsaW5rLW5ldG5zaWQgMSB0eXBlIGlwaXAgcmVtb3RlCj4+ Pj4gMTAuMTYuMC4xMjEgbG9jYWwgMTAuMTYuMC4yNDkKPj4+PiAkIGlwIG5ldG5zIGV4ZWMgZm9v IGlwIGwgbHMgaXBpcDEKPj4+PiA2OiBpcGlwMUBOT05FOiA8UE9JTlRPUE9JTlQsTk9BUlA+IG10 dSAxNDgwIHFkaXNjIG5vb3Agc3RhdGUgRE9XTiBtb2RlCj4+Pj4gREVGQVVMVCBncm91cCBkZWZh dWx0Cj4+Pj4gICAgICAgbGluay9pcGlwIDEwLjE2LjAuMjQ5IHBlZXIgMTAuMTYuMC4xMjEgbGlu ay1uZXRuc2lkIDEKPj4+Pgo+Pj4+IFRoZSBwYXJhbWV0ZXIgbGluay1uZXRuc2lkIHNob3dzIHVz IHdoZXJlIHRoZSBpbnRlcmZhY2Ugc2VuZHMgYW5kCj4+Pj4gcmVjZWl2ZXMKPj4+PiBwYWNrZXRz IChhbmQgdGh1cyB3ZSBrbm93IHdoZXJlIGVuY2Fwc3VsYXRlZCBhZGRyZXNzZXMgYXJlIHNldCku Cj4+Pj4KPj4+Cj4+PiBTbyBpcGlwMSBpcyBzaG93biBpbiBuZXRucyBmb28gYnV0IGZ1bmN0aW9u aW5nIGluIG5ldG5zIGluaXRfbmV0PyBHZXR0aW5nCj4+PiB0aGUKPj4+IGlkIG9mIGluaXRfbmV0 IGluIGZvbyBkZXBlbmRzIG9uIHlvdXIgbW91bnQgbmFtZXNwYWNlLCAvdmFyL3J1bi9uZXRucy8g bWF5Cj4+PiBub3QgdmlzaWJsZSBpbnNpZGUgZm9vLCBpbiB0aGlzIGNhc2UsIGxpbmstbmV0bnNp ZCBpcyBtZWFuaW5nbGVzcy4gSXQKPj4+IGlzIG5vdCB5b3VyCj4+PiBmYXVsdCwgbmV0d29yayBu YW1lc3BhY2UgYWxyZWFkeSBoZWF2aWx5IHJlbGllcyBvbiBtb3VudCBuYW1lc3BhY2UgKHN5c2Zz Cj4+PiBuZWVkcyB0byBiZSByZW1vdW50IG90aGVyd2lzZSB5b3UgY2FuIG5vdCBjcmVhdGUgZGV2 aWNlIHdpdGggdGhlIHNhbWUKPj4+IG5hbWUuKQo+Pj4KPj4+IE9uIHRoZSBvdGhlciBoYW5kLCB3 aGF0J3MgdGhlIHByb2JsZW0geW91IGFyZSB0cnlpbmcgdG8gc29sdmU/IEFGQUlLLAo+Pj4gdGhl IGlmaW5kZXgKPj4+IGlzc3VlIGlzIHB1cmVseSBpbiBvdXRwdXQsIElPVywgdGhlIGRldmljZSBz dGlsbCBmdW5jdGlvbnMgY29ycmVjdGx5Cj4+PiBldmVuIHRocm91Z2gKPj4+IGl0cyBsaW5rIGlm aW5kZXggaXMgbm90IGNvcnJlY3QgYWZ0ZXIgbW92aW5nIHRvIGFub3RoZXIgbmFtZXNwYWNlLiBJ Zgo+Pj4gbm90LCBpdCBpcyBidWcKPj4+IHdlIG5lZWQgdG8gZml4Lgo+Pj4KPj4gVGhlIHByb2Js ZW0gaXMgZXhwbGFpbmVkIGhlcmU6Cj4+IGh0dHA6Ly90aHJlYWQuZ21hbmUub3JnL2dtYW5lLmxp bnV4Lm5ldHdvcmsvMzE1OTMzL2ZvY3VzPTMxNjA2NAo+PiBhbmQgaGVyZToKPj4gaHR0cDovL3Ro cmVhZC5nbWFuZS5vcmcvZ21hbmUubGludXgua2VybmVsLmNvbnRhaW5lcnMvMjgzMDEvZm9jdXM9 NDIzOQo+Pgo+Cj4gUGxlYXNlLCBzdW1tYXJpemUgdGhlIGRpc2N1c3Npb24gaW4geW91ciBjaGFu Z2Vsb2csIGluc3RlYWQgb2YgcG9pbnRpbmcKPiB0byBhIGxvbmcgdGhyZWFkLgpUaGUgdGhyZWFk IGlzIGxvbmcsIGJ1dCB0aGUgbWFpbCBpbiBmb2N1cyBjb250YWlucyB0aGUgaW5mb3JtYXRpb24u IEhlcmUgaXMgYSAKY29weSBhbmQgcGFzdGU6CldoYXQgSSdtIHRyeWluZyB0byBzb2x2ZSBpcyB0 byBoYXZlIGZ1bGwgaW5mbyBpbiBuZXRsaW5rIG1lc3NhZ2VzIHNlbnQgYnkgdGhlCmtlcm5lbCwg dGh1cyBiZWVpbmcgYWJsZSB0byBpZGVudGlmeSBhIHBlZXIgbmV0bnMgKGFuZCB0aGlzIGlzIGNs b3NlIGZyb20gd2hhdAphdWRpdCBndXlzIGFyZSB0cnlpbmcgdG8gaGF2ZSkuIFRoZW9yaWNhbGx5 LCBtZXNzYWdlcyBzZW50IGJ5IHRoZSBrZXJuZWwgY2FuIGJlCnJldXNlZCBhcyBpcyB0byBoYXZl IHRoZSBzYW1lIGNvbmZpZ3VyYXRpb24uIFRoaXMgaXMgbm90IHRoZSBjYXNlIHdpdGggeC1uZXRu cwpkZXZpY2VzLiBIZXJlIGlzIGFuIGV4YW1wbGUsIHdpdGggaXAgdHVubmVsczoKCiQgaXAgbmV0 bnMgYWRkIDEKJCBpcCBsaW5rIGFkZCBpcGlwMSB0eXBlIGlwaXAgcmVtb3RlIDEwLjE2LjAuMTIx IGxvY2FsIDEwLjE2LjAuMjQ5IGRldiBldGgwCiQgaXAgLWQgbGluayBscyBpcGlwMQo4OiBpcGlw MSA8YXQ+IGV0aDA6IDxQT0lOVE9QT0lOVCxOT0FSUD4gbXR1IDE0ODAgcWRpc2Mgbm9vcCBzdGF0 ZSBET1dOIG1vZGUgREVGQVVMVApncm91cCBkZWZhdWx0CiAgICAgIGxpbmsvaXBpcCAxMC4xNi4w LjI0OSBwZWVyIDEwLjE2LjAuMTIxIHByb21pc2N1aXR5IDAKICAgICAgaXBpcCByZW1vdGUgMTAu MTYuMC4xMjEgbG9jYWwgMTAuMTYuMC4yNDkgZGV2IGV0aDAgdHRsIGluaGVyaXQgcG10dWRpc2MK JCBpcCBsaW5rIHNldCBpcGlwMSBuZXRucyAxCiQgaXAgbmV0bnMgZXhlYyAxIGlwIC1kIGxpbmsg bHMgaXBpcDEKODogaXBpcDEgPGF0PiB0dW5sMDogPFBPSU5UT1BPSU5ULE5PQVJQLE0tRE9XTj4g bXR1IDE0ODAgcWRpc2Mgbm9vcCBzdGF0ZSBET1dOIG1vZGUKREVGQVVMVCBncm91cCBkZWZhdWx0 CiAgICAgIGxpbmsvaXBpcCAxMC4xNi4wLjI0OSBwZWVyIDEwLjE2LjAuMTIxIHByb21pc2N1aXR5 IDAKICAgICAgaXBpcCByZW1vdGUgMTAuMTYuMC4xMjEgbG9jYWwgMTAuMTYuMC4yNDkgZGV2IHR1 bmwwIHR0bCBpbmhlcml0IHBtdHVkaXNjCgpOb3cgaW5mb3JtYXRpb25zIGdvdCB3aXRoICdpcCBs aW5rJyBhcmUgd3JvbmcgYW5kIGluY29tcGxldGU6CiAgIC0gdGhlIGxpbmsgZGV2IGlzIG5vdyB0 dW5sMCBpbnN0ZWFkIG9mIGV0aDAsIGJlY2F1c2Ugd2Ugb25seSBnb3QgYW4gaWZpbmRleAogICAg IGZyb20gdGhlIGtlcm5lbCB3aXRob3V0IGFueSBuZXRucyBpbmZvcm1hdGlvbnMuCiAgIC0gdGhl IGVuY2Fwc3VsYXRpb24gYWRkcmVzc2VzIGFyZSBub3QgcGFydCBvZiB0aGlzIG5ldG5zIGJ1dCB0 aGUgdXNlciBkb2Vzbid0CiAgICAga25vd24gdGhhdCAoc3RpbGwgYmVjYXVzZSBuZXRucyBpbmZv IGlzIG1pc3NpbmcpLiBUaGVzZSBJUHY0IGFkZHJlc3NlcyBtYXkKICAgICBleGlzdCBpbnRvIHRo aXMgbmV0bnMuCiAgIC0gaXQncyBub3QgcG9zc2libGUgdG8gY3JlYXRlIHRoZSBzYW1lIG5ldGRl dmljZSB3aXRoIHRoZXNlIGluZm9zLgoKSG9wZSBpdCdzIG1vcmUgY2xlYXIgbm93LgoKPgo+IEFu ZCBjbGVhcmx5IHlvdSBtaXNzZWQgbXkgcXVlc3Rpb24gYWJvdmU6IGhvdyBkbyB5b3UgZ2V0IG5l dG5zIGlkCj4gd2l0aG91dCBzaGFyaW5nIC92YXIvcnVuL25ldG5zLyA/Cj4KWW91IGNhbiBnZXQg YW4gaWQgb25seSBpZiB5b3UgYWxyZWFkeSBoYXZlIGEgInBvaW50ZXIiIHRvIHRoaXMgbmV0bnMu Cl9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fCkNvbnRhaW5l cnMgbWFpbGluZyBsaXN0CkNvbnRhaW5lcnNAbGlzdHMubGludXgtZm91bmRhdGlvbi5vcmcKaHR0 cHM6Ly9saXN0cy5saW51eGZvdW5kYXRpb24ub3JnL21haWxtYW4vbGlzdGluZm8vY29udGFpbmVy cw== From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753518AbaIXQ1h (ORCPT ); Wed, 24 Sep 2014 12:27:37 -0400 Received: from mail-wi0-f177.google.com ([209.85.212.177]:48169 "EHLO mail-wi0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751088AbaIXQ1f (ORCPT ); Wed, 24 Sep 2014 12:27:35 -0400 Message-ID: <5422F0F4.6000709@6wind.com> Date: Wed, 24 Sep 2014 18:27:32 +0200 From: Nicolas Dichtel Reply-To: nicolas.dichtel@6wind.com Organization: 6WIND User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: Cong Wang CC: netdev , containers@lists.linux-foundation.org, "linux-kernel@vger.kernel.org" , linux-api@vger.kernel.org, David Miller , "Eric W. Biederman" , Stephen Hemminger , Andrew Morton , Andy Lutomirski Subject: Re: [RFC PATCH net-next v2 0/5] netns: allow to identify peer netns References: <1411478430-4989-1-git-send-email-nicolas.dichtel@6wind.com> <54228D87.3070309@6wind.com> In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 24/09/2014 18:01, Cong Wang a écrit : > On Wed, Sep 24, 2014 at 2:23 AM, Nicolas Dichtel > wrote: >> Le 23/09/2014 21:22, Cong Wang a écrit : >> >>> On Tue, Sep 23, 2014 at 6:20 AM, Nicolas Dichtel >>> wrote: >>>> >>>> >>>> Here is a small screenshot to show how it can be used by userland: >>>> $ ip netns add foo >>>> $ ip netns del foo >>>> $ ip netns >>>> $ touch /var/run/netns/init_net >>>> $ mount --bind /proc/1/ns/net /var/run/netns/init_net >>>> $ ip netns add foo >>>> $ ip netns >>>> foo (id: 3) >>>> init_net (id: 1) >>>> $ ip netns exec foo ip netns >>>> foo (id: 3) >>>> init_net (id: 1) >>>> $ ip netns exec foo ip link add ipip1 link-netnsid 1 type ipip remote >>>> 10.16.0.121 local 10.16.0.249 >>>> $ ip netns exec foo ip l ls ipip1 >>>> 6: ipip1@NONE: mtu 1480 qdisc noop state DOWN mode >>>> DEFAULT group default >>>> link/ipip 10.16.0.249 peer 10.16.0.121 link-netnsid 1 >>>> >>>> The parameter link-netnsid shows us where the interface sends and >>>> receives >>>> packets (and thus we know where encapsulated addresses are set). >>>> >>> >>> So ipip1 is shown in netns foo but functioning in netns init_net? Getting >>> the >>> id of init_net in foo depends on your mount namespace, /var/run/netns/ may >>> not visible inside foo, in this case, link-netnsid is meaningless. It >>> is not your >>> fault, network namespace already heavily relies on mount namespace (sysfs >>> needs to be remount otherwise you can not create device with the same >>> name.) >>> >>> On the other hand, what's the problem you are trying to solve? AFAIK, >>> the ifindex >>> issue is purely in output, IOW, the device still functions correctly >>> even through >>> its link ifindex is not correct after moving to another namespace. If >>> not, it is bug >>> we need to fix. >>> >> The problem is explained here: >> http://thread.gmane.org/gmane.linux.network/315933/focus=316064 >> and here: >> http://thread.gmane.org/gmane.linux.kernel.containers/28301/focus=4239 >> > > Please, summarize the discussion in your changelog, instead of pointing > to a long thread. The thread is long, but the mail in focus contains the information. Here is a copy and paste: What I'm trying to solve is to have full info in netlink messages sent by the kernel, thus beeing able to identify a peer netns (and this is close from what audit guys are trying to have). Theorically, messages sent by the kernel can be reused as is to have the same configuration. This is not the case with x-netns devices. Here is an example, with ip tunnels: $ ip netns add 1 $ ip link add ipip1 type ipip remote 10.16.0.121 local 10.16.0.249 dev eth0 $ ip -d link ls ipip1 8: ipip1 eth0: mtu 1480 qdisc noop state DOWN mode DEFAULT group default link/ipip 10.16.0.249 peer 10.16.0.121 promiscuity 0 ipip remote 10.16.0.121 local 10.16.0.249 dev eth0 ttl inherit pmtudisc $ ip link set ipip1 netns 1 $ ip netns exec 1 ip -d link ls ipip1 8: ipip1 tunl0: mtu 1480 qdisc noop state DOWN mode DEFAULT group default link/ipip 10.16.0.249 peer 10.16.0.121 promiscuity 0 ipip remote 10.16.0.121 local 10.16.0.249 dev tunl0 ttl inherit pmtudisc Now informations got with 'ip link' are wrong and incomplete: - the link dev is now tunl0 instead of eth0, because we only got an ifindex from the kernel without any netns informations. - the encapsulation addresses are not part of this netns but the user doesn't known that (still because netns info is missing). These IPv4 addresses may exist into this netns. - it's not possible to create the same netdevice with these infos. Hope it's more clear now. > > And clearly you missed my question above: how do you get netns id > without sharing /var/run/netns/ ? > You can get an id only if you already have a "pointer" to this netns.