[PATCH iproute2] ip/netns: avoid redundant mounts

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH iproute2] ip/netns: avoid redundant mounts
@ 2026-02-10  4:11 Chen Linxuan via B4 Relay
  2026-02-18  3:24 ` David Ahern
  0 siblings, 1 reply; 6+ messages in thread
From: Chen Linxuan via B4 Relay @ 2026-02-10  4:11 UTC (permalink / raw)
  To: Stephen Hemminger
  Cc: David Ahern, netdev, Eric W. Biederman, Lennart Poettering,
	Luca Boccassi, Chen Linxuan

From: Chen Linxuan <me@black-desk.cn>

On Ubuntu 24.04, I observed redundant mounts after adding a netns with
the commands below:

	sudo ip netns add xxx
	cat /proc/self/mountinfo | grep /run

Output:

	29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
	...
	203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
	6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
	6444 29 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw

There are two mounts (6443 and 6444) related to the "xxx" netns created
above.

This redundancy occurs because systemd changed the default system mount
propagation to "shared" since commit b3ac5f8cb987 ("mount-setup: change
system mount propagation to shared by default"). Consequently, mount
propagation of `/run` is shared.

Link: https://docs.kernel.org/filesystems/sharedsubtree.html
Link: https://github.com/systemd/systemd/commit/b3ac5f8cb98757416d8660023d6564a7c411f0a0

When `ip netns` makes `/run/netns` a mount point, a new bind mount (203)
is created and attached to the same peer group as mount 29. Since mount
29 and 203 are in the same peer group (shared:5), any mount under 203
propagates back to 29, resulting in the redundant mount 6444.

To prevent this, `/run/netns` should be placed in a new peer group. This
can be achieved by reconfiguring `/run/netns` to MS_PRIVATE first, and
then to MS_SHARED again.

With this patch applied, the redundant mount is no longer present, and
`/run/netns` is in a new peer group (917):

	29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
	...
	203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:917 - tmpfs tmpfs ...
	6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:918 - nsfs nsfs rw

I also verified that mount propagation to containers remains functional.

Signed-off-by: Chen Linxuan <me@black-desk.cn>
---
 ip/ipnetns.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ip/ipnetns.c b/ip/ipnetns.c
index a20cd8bc7cb8..3a33a3adacee 100644
--- a/ip/ipnetns.c
+++ b/ip/ipnetns.c
@@ -846,6 +846,20 @@ static int netns_add(int argc, char **argv, bool create)
 			}
 			return -1;
 		}
+
+		/* Reconfigure NETNS_RUN_DIR to MS_PRIVATE recursively and later
+		 * MS_SAHRED again to make sure it is placed in a new peer group
+		 */
+		if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_PRIVATE | MS_REC, NULL)) {
+			fprintf(stderr, "mount --make-private %s failed: %s\n",
+				NETNS_RUN_DIR, strerror(errno));
+			if (lock != -1) {
+				flock(lock, LOCK_UN);
+				close(lock);
+			}
+			return -1;
+		}
+
 		made_netns_run_dir_mount = 1;
 	}
 	if (lock != -1) {

---
base-commit: 72f679c0d07629fe9e462c2c52bbe48aaeaa7f83
change-id: 20260210-netns-redundant-mount-aa2db50eac7d

Best regards,
-- 
Chen Linxuan <me@black-desk.cn>

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH iproute2] ip/netns: avoid redundant mounts
  2026-02-10  4:11 [PATCH iproute2] ip/netns: avoid redundant mounts Chen Linxuan via B4 Relay
@ 2026-02-18  3:24 ` David Ahern
  2026-02-25  1:21   ` Chen Linxuan
  0 siblings, 1 reply; 6+ messages in thread
From: David Ahern @ 2026-02-18  3:24 UTC (permalink / raw)
  To: me, Stephen Hemminger
  Cc: David Ahern, netdev, Eric W. Biederman, Lennart Poettering,
	Luca Boccassi

On 2/9/26 9:11 PM, Chen Linxuan via B4 Relay wrote:
> From: Chen Linxuan <me@black-desk.cn>
> 
> On Ubuntu 24.04, I observed redundant mounts after adding a netns with
> the commands below:
> 
> 	sudo ip netns add xxx
> 	cat /proc/self/mountinfo | grep /run
> 
> Output:
> 
> 	29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
> 	...
> 	203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
> 	6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
> 	6444 29 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw

with this patch I am still seeing 2 entries:

$ sudo ./ip netns add blah
$ cat /proc/self/mountinfo  | grep blah
337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw

...

> diff --git a/ip/ipnetns.c b/ip/ipnetns.c
> index a20cd8bc7cb8..3a33a3adacee 100644
> --- a/ip/ipnetns.c
> +++ b/ip/ipnetns.c
> @@ -846,6 +846,20 @@ static int netns_add(int argc, char **argv, bool create)
>  			}
>  			return -1;
>  		}
> +
> +		/* Reconfigure NETNS_RUN_DIR to MS_PRIVATE recursively and later
> +		 * MS_SAHRED again to make sure it is placed in a new peer group
> +		 */
> +		if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_PRIVATE | MS_REC, NULL)) {

line is rather long. please limit line length to about 80 columns except
for print strings like the next line.

> +			fprintf(stderr, "mount --make-private %s failed: %s\n",
> +				NETNS_RUN_DIR, strerror(errno));
> +			if (lock != -1) {
> +				flock(lock, LOCK_UN);
> +				close(lock);
> +			}
> +			return -1;
> +		}
> +
>  		made_netns_run_dir_mount = 1;
>  	}
>  	if (lock != -1) {
> 
> ---
> base-commit: 72f679c0d07629fe9e462c2c52bbe48aaeaa7f83
> change-id: 20260210-netns-redundant-mount-aa2db50eac7d
> 
> Best regards,


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH iproute2] ip/netns: avoid redundant mounts
  2026-02-18  3:24 ` David Ahern
@ 2026-02-25  1:21   ` Chen Linxuan
  2026-02-27 20:30     ` David Ahern
  0 siblings, 1 reply; 6+ messages in thread
From: Chen Linxuan @ 2026-02-25  1:21 UTC (permalink / raw)
  To: David Ahern
  Cc: me, Stephen Hemminger, netdev, Eric W. Biederman,
	Lennart Poettering, Luca Boccassi

On Wed, Feb 18, 2026 at 11:24 AM David Ahern <dsahern@kernel.org> wrote:
>
> On 2/9/26 9:11 PM, Chen Linxuan via B4 Relay wrote:
> > From: Chen Linxuan <me@black-desk.cn>
> >
> > On Ubuntu 24.04, I observed redundant mounts after adding a netns with
> > the commands below:
> >
> >       sudo ip netns add xxx
> >       cat /proc/self/mountinfo | grep /run
> >
> > Output:
> >
> >       29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
> >       ...
> >       203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
> >       6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
> >       6444 29 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
>
> with this patch I am still seeing 2 entries:
>
> $ sudo ./ip netns add blah
> $ cat /proc/self/mountinfo  | grep blah
> 337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
> 338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw

It seems like your old `ip` might have create the /run/netns mount point.
After remove all netns then umount /run/netns, and ip netns add blah again.
You should see only one entries.

I don't think we should consider correcting the mount point created by old code.

>
> ...
>
> > diff --git a/ip/ipnetns.c b/ip/ipnetns.c
> > index a20cd8bc7cb8..3a33a3adacee 100644
> > --- a/ip/ipnetns.c
> > +++ b/ip/ipnetns.c
> > @@ -846,6 +846,20 @@ static int netns_add(int argc, char **argv, bool create)
> >                       }
> >                       return -1;
> >               }
> > +
> > +             /* Reconfigure NETNS_RUN_DIR to MS_PRIVATE recursively and later
> > +              * MS_SAHRED again to make sure it is placed in a new peer group
> > +              */
> > +             if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_PRIVATE | MS_REC, NULL)) {
>
> line is rather long. please limit line length to about 80 columns except
> for print strings like the next line.
>
> > +                     fprintf(stderr, "mount --make-private %s failed: %s\n",
> > +                             NETNS_RUN_DIR, strerror(errno));
> > +                     if (lock != -1) {
> > +                             flock(lock, LOCK_UN);
> > +                             close(lock);
> > +                     }
> > +                     return -1;
> > +             }
> > +
> >               made_netns_run_dir_mount = 1;
> >       }
> >       if (lock != -1) {
> >
> > ---
> > base-commit: 72f679c0d07629fe9e462c2c52bbe48aaeaa7f83
> > change-id: 20260210-netns-redundant-mount-aa2db50eac7d
> >
> > Best regards,
>
>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH iproute2] ip/netns: avoid redundant mounts
  2026-02-25  1:21   ` Chen Linxuan
@ 2026-02-27 20:30     ` David Ahern
  2026-02-28  1:36       ` Chen Linxuan
  0 siblings, 1 reply; 6+ messages in thread
From: David Ahern @ 2026-02-27 20:30 UTC (permalink / raw)
  To: Chen Linxuan
  Cc: Stephen Hemminger, netdev, Eric W. Biederman, Lennart Poettering,
	Luca Boccassi

On 2/24/26 6:21 PM, Chen Linxuan wrote:
>> with this patch I am still seeing 2 entries:
>>
>> $ sudo ./ip netns add blah
>> $ cat /proc/self/mountinfo  | grep blah
>> 337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
>> 338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
> 
> It seems like your old `ip` might have create the /run/netns mount point.
> After remove all netns then umount /run/netns, and ip netns add blah again.
> You should see only one entries.

Fair point. I no longer have the patch, so send it again and I will try
a test in a new VM.



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH iproute2] ip/netns: avoid redundant mounts
  2026-02-27 20:30     ` David Ahern
@ 2026-02-28  1:36       ` Chen Linxuan
  2026-02-28 16:34         ` David Ahern
  0 siblings, 1 reply; 6+ messages in thread
From: Chen Linxuan @ 2026-02-28  1:36 UTC (permalink / raw)
  To: David Ahern
  Cc: Chen Linxuan, Stephen Hemminger, netdev, Eric W. Biederman,
	Lennart Poettering, Luca Boccassi

On Sat, Feb 28, 2026 at 4:30 AM David Ahern <dsahern@kernel.org> wrote:
>
> On 2/24/26 6:21 PM, Chen Linxuan wrote:
> >> with this patch I am still seeing 2 entries:
> >>
> >> $ sudo ./ip netns add blah
> >> $ cat /proc/self/mountinfo  | grep blah
> >> 337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
> >> 338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
> >
> > It seems like your old `ip` might have create the /run/netns mount point.
> > After remove all netns then umount /run/netns, and ip netns add blah again.
> > You should see only one entries.
>
> Fair point. I no longer have the patch, so send it again and I will try
> a test in a new VM.

Why has this patch been applied?
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=82c8b9fe511e6c503ef60c16eebc7a715c3189eb

What is going on here?

>
>
>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH iproute2] ip/netns: avoid redundant mounts
  2026-02-28  1:36       ` Chen Linxuan
@ 2026-02-28 16:34         ` David Ahern
  0 siblings, 0 replies; 6+ messages in thread
From: David Ahern @ 2026-02-28 16:34 UTC (permalink / raw)
  To: Chen Linxuan
  Cc: Stephen Hemminger, netdev, Eric W. Biederman, Lennart Poettering,
	Luca Boccassi

On 2/27/26 6:36 PM, Chen Linxuan wrote:
> On Sat, Feb 28, 2026 at 4:30 AM David Ahern <dsahern@kernel.org> wrote:
>>
>> On 2/24/26 6:21 PM, Chen Linxuan wrote:
>>>> with this patch I am still seeing 2 entries:
>>>>
>>>> $ sudo ./ip netns add blah
>>>> $ cat /proc/self/mountinfo  | grep blah
>>>> 337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
>>>> 338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
>>>
>>> It seems like your old `ip` might have create the /run/netns mount point.
>>> After remove all netns then umount /run/netns, and ip netns add blah again.
>>> You should see only one entries.
>>
>> Fair point. I no longer have the patch, so send it again and I will try
>> a test in a new VM.
> 
> Why has this patch been applied?
> https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=82c8b9fe511e6c503ef60c16eebc7a715c3189eb
> 
> What is going on here?
> 

ugh. my mistake after testing and noting the above; I did not drop the
commit. I'll re-test when I get some time.


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2026-02-28 16:34 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-10  4:11 [PATCH iproute2] ip/netns: avoid redundant mounts Chen Linxuan via B4 Relay
2026-02-18  3:24 ` David Ahern
2026-02-25  1:21   ` Chen Linxuan
2026-02-27 20:30     ` David Ahern
2026-02-28  1:36       ` Chen Linxuan
2026-02-28 16:34         ` David Ahern

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox