Question about netns & AF_UNIX

Question about netns & AF_UNIX

[Martín Ferrari]

Hi, again a question about netns...

I seem to recall being able to use AF_UNIX sockets across network name
spaces, but I cannot reproduce that with a current kernel. Probably my
test was fubar (I've lost the script).

In any case: is a design decision to forbid this, even when the file
system is shared? I found some discussions from 2008, but I don't see
an agreement being reached...

I also wonder if filedescriptor passing thru ancilliary messages will
work (that is, with unix sockets that I've created before the netns
change).

Thanks

-- 
Martín Ferrari

Re: Question about netns & AF_UNIX

[Dan Smith]

MF> I seem to recall being able to use AF_UNIX sockets across network name
MF> spaces, but I cannot reproduce that with a current kernel. Probably my
MF> test was fubar (I've lost the script).

If you are in different network namespaces, the binding of UNIX
sockets is also kept separate.  Even though the filesystem is shared,
this seems to make the most sense to me.  Named pipes on the
filesystem would still be shared, by the way.

MF> I also wonder if filedescriptor passing thru ancilliary messages will
MF> work (that is, with unix sockets that I've created before the netns
MF> change).

I think that will work, as will binding a socket and then doing a
setns().

-- 
Dan Smith
IBM Linux Technology Center
email: danms@us.ibm.com

Re: Question about netns & AF_UNIX

[Daniel Lezcano]

On 05/27/2010 04:38 PM, Martín Ferrari wrote:
> Hi, again a question about netns...
>
> I seem to recall being able to use AF_UNIX sockets across network name
> spaces, but I cannot reproduce that with a current kernel. Probably my
> test was fubar (I've lost the script).
>    

No, that was never the case. Maybe you tested with a patched kernel 
allowing to cross-namespace connect.
> In any case: is a design decision to forbid this, even when the file
> system is shared? I found some discussions from 2008, but I don't see
> an agreement being reached...
>    

There was a discussion about that but with a simple hack removing the 
test against the namespace when connecting.
The problem is nobody investigated that against credentials in ancillary 
messages, or other particularity of the af_unix socket vs the namespaces.

> I also wonder if filedescriptor passing thru ancilliary messages will
> work (that is, with unix sockets that I've created before the netns
> change).
>    

Yes.

Thanks
   -- Daniel

Re: Question about netns & AF_UNIX

[Martín Ferrari]

Hi,

On Thu, May 27, 2010 at 20:08, Dan Smith <danms@us.ibm.com> wrote:

> If you are in different network namespaces, the binding of UNIX
> sockets is also kept separate.  Even though the filesystem is shared,
> this seems to make the most sense to me.

To me it was the opposite, I thought natural that UNIX sockets would
continue to work, at least when they are bound to a filesystem entry.
Also it is a nice and clean way to communicate across namespaces
without assuming lots of things about the network configuration.

> Named pipes on the
> filesystem would still be shared, by the way.

Yes, today I've tried with named pipes and worked. It's just that they
aren't as nice as UNIX sockets :)

Thanks.



-- 
Martín Ferrari