Re: VRF-like use of Network Namespaces

[ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)]

Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org> writes:

> On 06/11/2010 04:47 PM, Mathieu Peresse wrote:
>> Hi,
>>
>> [this is related to the use of Eric Biederman's new set of patches for named
>> netns / netns switching]
>>
>> ok so I successfully modified /sbin/ip. I can now:
>> - add/del a new netns by name: "ip netns {addns,delns} ns_name"
>> ->  The namespace files are mounted on /var/run/netns/ns_name (so you have to
>> mkdir /var/run/netns/ for this to work).
>>    
>
> IMHO, the ip command is not suitable for this, it does not write 
> anything to the fs.

It does configuration by all kinds of means.  As far as it goes I
think the ip command is perfectly suitable in this particular
situation.  Having a vrf functionality in linux is very desirable.

Getting this into ip has the major advantage that we will have a defacto
standard, and using IFLA_NET_NS_FD makes a lot more sense if everything
is in ip.

> You should write you own command, which can be a perl script using the 
> 'unshare' command (util-linux package on my distro).
>
> vrf create <name>
> vrf delete <name>
> vrf attach <name>
> vrf list
>
> vrf create will bind mount the ns at the place you decided in the script 
> (eg. a tmpfs in order to keep the directory consistent across (unclean) 
> reboots).
>
>> - list netns: "ip netns show"
>> - use /sbin/ip in any named netns: "ip -netns ns_name link show"
>>
>> (rough patch against current git tree attached)
>>
>> I want now to move devices across namespaces using their filesystem names
>> (instead of using PIDs...). I'm not sure I can do it in userspace with the
>> current code yet, can I ?
>>    
> No, you can do that only with pids, but why don't you move the devices 
> at the create time ?
> You have all the latitude to do that, no ?

Does my published tree not have IFLA_NET_NS_FD in it?

>> I saw there was a rtnetlink attribute to set the netns of a device but it
>> uses the PID of a namespace owner to do so... within 'ip' i can refer to
>> only one namespace (i.e. the one that 'ip' task_struct->ns_proxy currently
>> points to), so I won't be able to move an interface from outside my
>> namespace to my namespace...
>> I hope my explanation is clear and that this will get some interest... :)
>>    
>
> Your 'create' command can open a fd to its current  netns, unshare a new 
> namespace, bind mount it, and then return to the previously saved netns.
>
>> BTW is this the right ML to post this on ?
>>    
>
> Well, this is something related to a subsystem of the containers, so it 
> has some interest but I would suggest to send to the netdev@ mailing 
> list (netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org), maybe cc'ing this mailing list.

Anyway it looks like time to post the core of my patchset for review,
and get things moving on this.

Eric