[PATCH iproute2] ip/netns: avoid redundant mounts

[PATCH iproute2] ip/netns: avoid redundant mounts

[Chen Linxuan via B4 Relay]

From: Chen Linxuan <me@black-desk.cn>

On Ubuntu 24.04, I observed redundant mounts after adding a netns with
the commands below:

	sudo ip netns add xxx
	cat /proc/self/mountinfo | grep /run

Output:

	29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
	...
	203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
	6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
	6444 29 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw

There are two mounts (6443 and 6444) related to the "xxx" netns created
above.

This redundancy occurs because systemd changed the default system mount
propagation to "shared" since commit b3ac5f8cb987 ("mount-setup: change
system mount propagation to shared by default"). Consequently, mount
propagation of `/run` is shared.

Link: https://docs.kernel.org/filesystems/sharedsubtree.html
Link: https://github.com/systemd/systemd/commit/b3ac5f8cb98757416d8660023d6564a7c411f0a0

When `ip netns` makes `/run/netns` a mount point, a new bind mount (203)
is created and attached to the same peer group as mount 29. Since mount
29 and 203 are in the same peer group (shared:5), any mount under 203
propagates back to 29, resulting in the redundant mount 6444.

To prevent this, `/run/netns` should be placed in a new peer group. This
can be achieved by reconfiguring `/run/netns` to MS_PRIVATE first, and
then to MS_SHARED again.

With this patch applied, the redundant mount is no longer present, and
`/run/netns` is in a new peer group (917):

	29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
	...
	203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:917 - tmpfs tmpfs ...
	6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:918 - nsfs nsfs rw

I also verified that mount propagation to containers remains functional.

Signed-off-by: Chen Linxuan <me@black-desk.cn>
---
 ip/ipnetns.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/ip/ipnetns.c b/ip/ipnetns.c
index a20cd8bc7cb8..3a33a3adacee 100644
--- a/ip/ipnetns.c
+++ b/ip/ipnetns.c
@@ -846,6 +846,20 @@ static int netns_add(int argc, char **argv, bool create)
 			}
 			return -1;
 		}
+
+		/* Reconfigure NETNS_RUN_DIR to MS_PRIVATE recursively and later
+		 * MS_SAHRED again to make sure it is placed in a new peer group
+		 */
+		if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_PRIVATE | MS_REC, NULL)) {
+			fprintf(stderr, "mount --make-private %s failed: %s\n",
+				NETNS_RUN_DIR, strerror(errno));
+			if (lock != -1) {
+				flock(lock, LOCK_UN);
+				close(lock);
+			}
+			return -1;
+		}
+
 		made_netns_run_dir_mount = 1;
 	}
 	if (lock != -1) {

---
base-commit: 72f679c0d07629fe9e462c2c52bbe48aaeaa7f83
change-id: 20260210-netns-redundant-mount-aa2db50eac7d

Best regards,
-- 
Chen Linxuan <me@black-desk.cn>

Re: [PATCH iproute2] ip/netns: avoid redundant mounts

[David Ahern]

On 2/9/26 9:11 PM, Chen Linxuan via B4 Relay wrote:
> From: Chen Linxuan <me@black-desk.cn>
> 
> On Ubuntu 24.04, I observed redundant mounts after adding a netns with
> the commands below:
> 
> 	sudo ip netns add xxx
> 	cat /proc/self/mountinfo | grep /run
> 
> Output:
> 
> 	29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
> 	...
> 	203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
> 	6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
> 	6444 29 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw

with this patch I am still seeing 2 entries:

$ sudo ./ip netns add blah
$ cat /proc/self/mountinfo  | grep blah
337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw

...

> diff --git a/ip/ipnetns.c b/ip/ipnetns.c
> index a20cd8bc7cb8..3a33a3adacee 100644
> --- a/ip/ipnetns.c
> +++ b/ip/ipnetns.c
> @@ -846,6 +846,20 @@ static int netns_add(int argc, char **argv, bool create)
>  			}
>  			return -1;
>  		}
> +
> +		/* Reconfigure NETNS_RUN_DIR to MS_PRIVATE recursively and later
> +		 * MS_SAHRED again to make sure it is placed in a new peer group
> +		 */
> +		if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_PRIVATE | MS_REC, NULL)) {

line is rather long. please limit line length to about 80 columns except
for print strings like the next line.

> +			fprintf(stderr, "mount --make-private %s failed: %s\n",
> +				NETNS_RUN_DIR, strerror(errno));
> +			if (lock != -1) {
> +				flock(lock, LOCK_UN);
> +				close(lock);
> +			}
> +			return -1;
> +		}
> +
>  		made_netns_run_dir_mount = 1;
>  	}
>  	if (lock != -1) {
> 
> ---
> base-commit: 72f679c0d07629fe9e462c2c52bbe48aaeaa7f83
> change-id: 20260210-netns-redundant-mount-aa2db50eac7d
> 
> Best regards,

Re: [PATCH iproute2] ip/netns: avoid redundant mounts

[Chen Linxuan]

On Wed, Feb 18, 2026 at 11:24 AM David Ahern <dsahern@kernel.org> wrote:
>
> On 2/9/26 9:11 PM, Chen Linxuan via B4 Relay wrote:
> > From: Chen Linxuan <me@black-desk.cn>
> >
> > On Ubuntu 24.04, I observed redundant mounts after adding a netns with
> > the commands below:
> >
> >       sudo ip netns add xxx
> >       cat /proc/self/mountinfo | grep /run
> >
> > Output:
> >
> >       29 31 0:26 / /run rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
> >       ...
> >       203 29 0:26 /netns /run/netns rw,nosuid,nodev,noexec,relatime shared:5 - tmpfs tmpfs ...
> >       6443 203 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
> >       6444 29 0:4 net:[4026533578] /run/netns/xxx rw shared:917 - nsfs nsfs rw
>
> with this patch I am still seeing 2 entries:
>
> $ sudo ./ip netns add blah
> $ cat /proc/self/mountinfo  | grep blah
> 337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
> 338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw

It seems like your old `ip` might have create the /run/netns mount point.
After remove all netns then umount /run/netns, and ip netns add blah again.
You should see only one entries.

I don't think we should consider correcting the mount point created by old code.

>
> ...
>
> > diff --git a/ip/ipnetns.c b/ip/ipnetns.c
> > index a20cd8bc7cb8..3a33a3adacee 100644
> > --- a/ip/ipnetns.c
> > +++ b/ip/ipnetns.c
> > @@ -846,6 +846,20 @@ static int netns_add(int argc, char **argv, bool create)
> >                       }
> >                       return -1;
> >               }
> > +
> > +             /* Reconfigure NETNS_RUN_DIR to MS_PRIVATE recursively and later
> > +              * MS_SAHRED again to make sure it is placed in a new peer group
> > +              */
> > +             if (mount(NETNS_RUN_DIR, NETNS_RUN_DIR, "none", MS_PRIVATE | MS_REC, NULL)) {
>
> line is rather long. please limit line length to about 80 columns except
> for print strings like the next line.
>
> > +                     fprintf(stderr, "mount --make-private %s failed: %s\n",
> > +                             NETNS_RUN_DIR, strerror(errno));
> > +                     if (lock != -1) {
> > +                             flock(lock, LOCK_UN);
> > +                             close(lock);
> > +                     }
> > +                     return -1;
> > +             }
> > +
> >               made_netns_run_dir_mount = 1;
> >       }
> >       if (lock != -1) {
> >
> > ---
> > base-commit: 72f679c0d07629fe9e462c2c52bbe48aaeaa7f83
> > change-id: 20260210-netns-redundant-mount-aa2db50eac7d
> >
> > Best regards,
>
>

Re: [PATCH iproute2] ip/netns: avoid redundant mounts

[David Ahern]

On 2/24/26 6:21 PM, Chen Linxuan wrote:
>> with this patch I am still seeing 2 entries:
>>
>> $ sudo ./ip netns add blah
>> $ cat /proc/self/mountinfo  | grep blah
>> 337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
>> 338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
> 
> It seems like your old `ip` might have create the /run/netns mount point.
> After remove all netns then umount /run/netns, and ip netns add blah again.
> You should see only one entries.

Fair point. I no longer have the patch, so send it again and I will try
a test in a new VM.

Re: [PATCH iproute2] ip/netns: avoid redundant mounts

[Chen Linxuan]

On Sat, Feb 28, 2026 at 4:30 AM David Ahern <dsahern@kernel.org> wrote:
>
> On 2/24/26 6:21 PM, Chen Linxuan wrote:
> >> with this patch I am still seeing 2 entries:
> >>
> >> $ sudo ./ip netns add blah
> >> $ cat /proc/self/mountinfo  | grep blah
> >> 337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
> >> 338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
> >
> > It seems like your old `ip` might have create the /run/netns mount point.
> > After remove all netns then umount /run/netns, and ip netns add blah again.
> > You should see only one entries.
>
> Fair point. I no longer have the patch, so send it again and I will try
> a test in a new VM.

Why has this patch been applied?
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=82c8b9fe511e6c503ef60c16eebc7a715c3189eb

What is going on here?

>
>
>

Re: [PATCH iproute2] ip/netns: avoid redundant mounts

[David Ahern]

On 2/27/26 6:36 PM, Chen Linxuan wrote:
> On Sat, Feb 28, 2026 at 4:30 AM David Ahern <dsahern@kernel.org> wrote:
>>
>> On 2/24/26 6:21 PM, Chen Linxuan wrote:
>>>> with this patch I am still seeing 2 entries:
>>>>
>>>> $ sudo ./ip netns add blah
>>>> $ cat /proc/self/mountinfo  | grep blah
>>>> 337 92 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
>>>> 338 28 0:4 net:[4026532418] /run/netns/blah rw shared:344 - nsfs nsfs rw
>>>
>>> It seems like your old `ip` might have create the /run/netns mount point.
>>> After remove all netns then umount /run/netns, and ip netns add blah again.
>>> You should see only one entries.
>>
>> Fair point. I no longer have the patch, so send it again and I will try
>> a test in a new VM.
> 
> Why has this patch been applied?
> https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=82c8b9fe511e6c503ef60c16eebc7a715c3189eb
> 
> What is going on here?
> 

ugh. my mistake after testing and noting the above; I did not drop the
commit. I'll re-test when I get some time.