Automatic TAP destruction/Monitoring namespace destruction

Automatic TAP destruction/Monitoring namespace destruction

[Andrew Cann]

[-- Attachment #1: Type: text/plain, Size: 1290 bytes --]

Hi Linux people, I hope this is an appropriate place to ask this..

In a program I'm writing I have a network namespace with a virtual (TAP)
network interface assigned to it. I would like it so that the interface is
automatically destroyed when the namespace is destroyed (ie. when the last
process in the namespace exits). I can't see any way to implement this..

As I understand it, when a namespace is destroyed all its interfaces are moved
to the root namespace. If this is the case, is there anyway to detect when an
interface is moved so that I can close it manually? Alternatively, is there a
way to detect when a namespace is destroyed?

I figured it might possible to use inotify to do this, but it won't let me
watch directories under /proc. Also the files under /proc/*/ns/ seem to be some
kind of wierd symlink-to-a-raw-inode-thing (?) - is there a way to detect when
an inode is destroyed that I can use with these?

I also thought it might be possible to use a netlink socket to detect when an
interface changes namespace. But the netlink docs don't seem to suggest that
this is possible.

Basically I'm looking for any event the Linux kernel can give me that I can use
to implement what I want. Does anyone have any ideas?

Thanks for any help anyone can give me.
 - Andrew


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Automatic TAP destruction/Monitoring namespace destruction

[Jiri Benc]

On Fri, 23 Feb 2018 04:39:37 -0500, Andrew Cann wrote:
> In a program I'm writing I have a network namespace with a virtual (TAP)
> network interface assigned to it. I would like it so that the interface is
> automatically destroyed when the namespace is destroyed (ie. when the last
> process in the namespace exits). I can't see any way to implement this..

This should just work.

> As I understand it, when a namespace is destroyed all its interfaces are moved
> to the root namespace. If this is the case, is there anyway to detect when an
> interface is moved so that I can close it manually?

It is the case only for interfaces backed by a physical device. Virtual
interfaces are deleted when the netns is destroyed. That includes
tun/tap interfaces.

> Alternatively, is there a way to detect when a namespace is destroyed?

I don't think we emit any netlink event on netns exit.

> I figured it might possible to use inotify to do this, but it won't let me
> watch directories under /proc. Also the files under /proc/*/ns/ seem to be some
> kind of wierd symlink-to-a-raw-inode-thing (?) - is there a way to detect when
> an inode is destroyed that I can use with these?

You'd need this patchset: https://lkml.org/lkml/2016/10/15/40 but
I don't think it went anywhere. Plus it probably wouldn't be enough
anyway.

> I also thought it might be possible to use a netlink socket to detect when an
> interface changes namespace. But the netlink docs don't seem to suggest that
> this is possible.

Yes, that's possible. You'll need a recent kernel with commit
e8368d9ebb94 included.

> Basically I'm looking for any event the Linux kernel can give me that I can use
> to implement what I want. Does anyone have any ideas?

What you want should already be happening automatically. Have you tried?

ip netns add ns0
ip -n ns0 tuntap add name tap0 mode tap
ip -n ns0 link show dev tap0
ip netns del ns0
ip a	# no tap interface

 Jiri