network: support network namespace

[yuwata]

Closes #11103.

[yuwata]

TODO:

• fix NetworkNamespacePath=
• systemd-udevd@.service, maybe only for network interfaces?
• libsystemd/sd-network, support network namespace
• add varlink support to networkd
• networkctl, add --namespace option
• systemd-networkd-wait-online@.service, add --namespace option

[DaanDeMeyer]

First of all, great to see support for this being added!

I haven't looked in detail, but I'm wondering if we can't make this stuff a little more generic. Why limit the namespace stuff to systemd-networkd and networkctl? Shouldn't we consider making separate namespace units instead (ipc, mount, future namespaces)? Of course, adding those will require extra work compared to this solution but I can come up with some use cases where we want to run programs in a separate mount or ipc namespace as well (aside from only network).

[yuwata]

@DaanDeMeyer Could you elaborate more? I think, for networkd, supporting network namespace is non-trivial and needs several works, but other namespace is trivial and just modifying the unit file seems enough, though not tested.

[DaanDeMeyer]

I wrote out a massive wall of text but it comes down to this:

Instead of adding systemd-networkd-create-netns@ and networkctl netns-create, can't we simply modify NetworkNamespacePath to create the network namespace if it doesn't exist? It could use the same method you used in verb_netns_create. The only thing I'm not sure of is when to remove the bind mount to make sure the namespace gets cleaned up when all processes in it exit. Maybe each process could add a bind mount on top of the existing ones so you have a stack of bind mounts that gets unwinded as processes exit one by one? (Although I doubt that's a good approach). Aside from NetworkNamespacePath, other namespace types could have a similar setting.

If we can't manage the lifetime of namespaces without a separate unit like systemd-networkd-create-netns, maybe this needs to be a general systemd concept instead of a one time off implementation in systemd-networkd-create-netns@ and networkctl?

[yuwata]

Instead of adding systemd-networkd-create-netns@ and networkctl netns-create, can't we simply modify NetworkNamespacePath to create the network namespace if it doesn't exist?

I like that idea. I will try to implement that. Thanks.

[DaanDeMeyer]

I reviewed the parts related to my earlier suggestion since I'm somewhat familiar with those.

[DaanDeMeyer]

Do we still need these commands if NetworkNamespacePath creates the network namespace automatically?

[yuwata]

Maybe useful for systemd-nspawn --network-namespace-path=?

[DaanDeMeyer]

I'm not sure, I think the existing tools unshare, lsns and unmount cover these use cases well enough. Of course, if you or someone else feels we should have these then by all means lets add them. It doesn't hurt anyone if networkctl has a few extra commands.

[poettering]

id drop them really.

[DaanDeMeyer]

Do we ever clean this up somewhere? Won't we end up with a namespace leak if we keep the file bind-mounted somewhere?

[yuwata]

We do not know when the file is not used anymore. So, I think we must 'leak' the file. (And can be manually removed by networkctl remove-netns command.)

[DaanDeMeyer]

Maybe there's a way to keep track of whether there are any services running in the network namespace (or just a namespace in general to be a little more generic)? As soon as the count reaches zero, we unmount the file. Of course, that does not keep track of any processes not spawned by systemd but that seems like a tradeoff we could make (and explicitly document).

The idea is that we only need to have the file mounted if there is at least one other service running in the namespace. If the last service exits, we can safely remove the mount and create the mount again once another service starts with the same namespace path.

The only thing I'm not sure about is how hard it is to add the machinery required to keep track of which services are running in which persistent namespaces.

On the other hand, leaking the file might not be a huge problem. Although I'm a bit worried that if many unique instances of a template service are spawned and they use the template parameter in the network namespace path that we get a lot of namespace mounts lying around. I have a feeling someone would hit some kind of limit sooner or later and get a rather obscure error if we don't clean the mounts ourselves.

Maybe @poettering knows more?

[yuwata]

I noticed that removing the netns file causes a backward compatibility issue. Previously, when a service which has NetworkNamespacePath= is stopped, the netns file still exists, and can be used any later commands or invoked services. Such behavior must be preserved. So, even if pid1 creates the file, the file must be 'leak'ed.

[DaanDeMeyer]

Well yes, but that's only because the netns file was created explicitly by the user beforehand no? It makes sense then that they can rely on the file being there after the service stops.

However, if the file doesn't exist, I think we currently hard-fail so I think that means we have an avenue for adding new behaviour any way we want to without having to worry about backwards compatibility. In other words, there's no way users can depend on netns files created by systemd being there after the service stops since at the moment systemd never creates any netns files in the first place.

If the user currently creates the netns file, of course he's responsible for cleaning it up afterwards. However, if we now start creating the netns files ourselves, I think that makes us responsible for cleaning them up as well.

[elmarco]

I wonder if /var/run/netns mountpoint could be handled by systemd .mount & service lifetime/dependencies.

[poettering]

I'd probably not actively use .mount unit for this kind of mount point. It's not really a file system after all, but more a weird API of the kernel to make namespaces persistent...

I'd just add NetworkNamespaceMode=join|create|sticky instead, as suggested elsewhere.

[DaanDeMeyer]

I know @poettering asked me to do namespace changes in a child process to make cleanup easier in an nspawn PR review. I'm not sure if this is a code path where we can afford to fork a child process but if we can, it might be easier to fork, unshare and mount instead of having logic everywhere to move back to the original network namespace.

[yuwata]

I will re-consider this point later. Thanks.

[poettering]

yes, as mentioned elsewhere, let's do that in a child process. i.e. clone() with CLONE_NEWNET, and pass netns fd up to parent again

[poettering]

I love this a lot! Excellent work!

[poettering]

doesn't matter much, but you could just drop the word else here

[poettering]

as above

[poettering]

hmm, do we want these really? I think it would be much nicer if you allocate a new netns simply by starting another networkd instance. i.e.

"systemctl start networkd@foobar.service" starts a new netns called foobar

[flokli]

These commands basically mirror the ip netns list, ip netns add and ip netns delete commands. Not sure if they bring additional value. One could argue networkctl list also is just a more fancy ip l, and we could show more information here, too.

I don't think there always needs to be a separate networkd instance for each namespace "managed" by networkd.

There's two usecases here:

1. In addition to the default network namespace and main networkd, having a separate networkd running in a separate network namespace with interfaces in that namespace.
   Don't we have systemd-nspawn for this?

2. Main networkd in the default network namespace sets up a tunnel interface (wireguard, openvpn), but moves the created interface into a separate network namespace (creating if it doesn't exist already), possibly configuring addresses/(default) route(s) on that interface as well.
   People that want to pipe traffic "through that tunnel" invoke applications (ip netns exec $application) or whole graphical sessions in that namespace, but they don't really care about configuring more interfaces inside this namespace.

[g0tar]

hmm, do we want these really? I think it would be much nicer if you allocate a new netns simply by starting another networkd instance. i.e.

"systemctl start networkd@foobar.service" starts a new netns called foobar

Let's remember that this really should fit well into regular workflow with "personalities". I would expect that:

ip netns exec alt-namespace-2 /bin/zsh
networkctl

returns the currently "logged in" network status, just like ip, iptables or tc tools are. Consider a scenario, when entire ssh server is being run within some netns (in general: one ssh server per netns) and one directly logs into the netns. It should be possible to manage this "internal" (separated) network, including stopping it - without interfering other namespaces.

Thinking about this makes me think, that maybe entire networkd@some-netns.service should be started inside some-netns (just like the ssh instance from example above), and the master (host) networkd.service should set up the namespaces itself and interfaces (like creating veth pair and moving one end into the specified netns). This seems to mean that .netdev with for NetNS=x would be picked by main systemd.service (in order to set up the device+netns assignment) and by networkd@x.service (in order to match the device), while .network for NetNS=x would belong to networkd@x.service only.

Then, the namespaced networkctl should display and manage only it's own parts, while the external one could give access to all the childrens. Also, some day, the systemctl could gain a feature to filter out namespace-bound services and disallow messing with master or siblings - this is the way of partitioning system and creating network-admin roles (known from Big Telco solutions; thinking about apache running within web1 netns and user/group X allowed to restart every service within web1 netns).

As for the (simpified) use-case (italic, long): I need to set up 4 netnses: bgp1, bgp2, lan1, lan2 interconnected with veth pairs. The bgp* personalities would run separate BGP instances (bird) on assigned VLANs exchanging traffic with their respective lan* internal network BRASes. Each bgp* uses it's own uplinks by default and provides backup transmission for the other, so in general traffic can go through 3 namespaces (lan1-bgp1-bgp2), while in normal conditions the flows are separated and can be accounted per instance. In general setup there might be more than 2 "entity sets" and the "set" might contain more "boxes" (BGP, NAT/log, QoS/BRAS, IDS), while the "interface/VLAN" is stacked over some QinQ or LACP (802.1ad), VXLAN etc. Most of this can be acomplished by using "traditional" methods, like policy based routing, separate routing tables etc. but as the number of entities grow the configuration complicates exponentially as they start to heavily interfere. Using separate network namespaces, with their own routing tables, filtering rules (iptables), conntrack, DHCP servers etc. trades some performance for simplicity and manageability (like having different network-admins for different "sets"). Using full virtualization would result in much more performance penalty (and require additional layer of OpenVSwitch). Containers are functionally equivalent, but require massive system (fs tree) duplication and would became upgrade management hell really fast; note the network-admins should only care about the rules (BGP, iptables, ipsets, QoS), not the system ("firmaware") itself. Also, I do trust network-admins that they are not malicious, just want to make their life easier - working with hundreds of interfaces stacked in several layers is error-prone.

Currently systemd handles well my (over?)complicated block-devices scheme (drive-partition-LVM-integrity-mdadm-LUKS-VDO-LVM/thin_pool(snapshots)-mdadm (with top-level mdadm used for bitmap-assisted on-line backups of either snapshots or fsfrozen data via ISCSI@ipsec to remote location) and it would be really nice if network stack could be handled as well.

[poettering]

I am not sure we should step into that directory, i.e. territory of iproute? is that public API even?

Also /var/run is a legacy alias for /run. Let's not use legacy names.

[mweinelt]

It allows user to interact with the netns from userspace, which would be much appreciated.

[poettering]

should probably use MS_NOSUID|MS_NOEXEC|MS_NODEV as mount flags, since we mount the host sysfs like that

[poettering]

as above

[poettering]

hmm, i'd probably also go via varlink if client is root, since then you can issue this before dbus is up.

dbus gives us powerful access control, which varlink has. But if we are root anyway, then there's little point to bother with dbus for this i think.

[poettering]

I'd change this check to if (varlink), i.e. instead of checking each time why we use varlink, just check if we can use varlink.

[poettering]

→ --namespace=, i.e. with trailing = since it expects an argument

[poettering]

→ --namespace=NAME

[keszybz]

@yuwata update?

[yuwata]

Will update after v246 is released.

[poettering]

would still love this to materialize!

[kjander0]

I've noticed different behaviour between 'ip netns exec' and 'systemd's NetworkNamespacePath'. The former remounts /sys/ when switching the namespace of a process. Systemd doesn't seem to do this and therefore the process running in the namespace sees the wrong network devices in /sys/class/net, etc. Is this expected behaviour?

[poettering]

@kjander0 plese file a separate issue about this. Comments on unrelated PRs are not a great way to report a bug.

[LaserEyess]

Any chance at a rebase of this? I am very interested in this functionality and I would like to test it, but I am not skilled enough nor familiar enough with the codebase to rebase.

[codepeon]

Here are some rebased versions of this:
Based on v248, Builds and seems to work: https://github.com/codepeon/systemd/tree/netns-v248
Based on main, not tested: https://github.com/codepeon/systemd/tree/netns-main

[agowa]

What's the current status? Is this PR still active or is it superseded by some other PR?

[herbetom]

Since I'm once again facing the situation where it would be handy to have network namespace support in systemd-networkd I would like to repeat the question of @agowa338 about the current status. I would be really happy if this functionality would exist one day.

@yuwata

[Manouchehri]

Any chance of this being merged in?

[OJFord]

Does this support (or not complicate supporting in the future) differing 'current' and 'birth' namespaces?

This can be useful because when the interface is moved to another namespace, its sockets are still attached to (? created in? I'm fuzzy on the specifics) its birth namespace. WireGuard describes a use case in more detail here (under heading 'the new namespace solution'): https://www.wireguard.com/netns/

[jmpolom]

This would be a pretty amazing thing to have support for in networkd.

[andrewdunndev]

There was an interesting discussion in the podman mailing lists where someone is trying to do these things for quadlet (a systemd/podman sort of bridge prototype).

[DemiMarie]

@yuwata do you plan to finish this PR, or should someone else do so?

[Torxed]

@yuwata added the new-feature label on Oct 29, 2020

There's been no meaningful update since 2020-10-29.
The overall code of systemd has evolved quite significantly since this PR. And rebasing is no longer trivial.

Perhaps split this PR into smaller PR's for individual functionalities such as creating namespaces and managing interfaces?
I'd love to see it all go in but if it's unmaintainable to introduce this somewhat large PR of ~1.5k line changes, then perhaps introduce features in steps?

I get that everyone is a volunteer and that we're welcome to submit PR's, but this one felt somewhat complete.
Would be nice with a status update of any kind.

[kniteli]

It is possible to achieve running systemd-networkd per namespace using the tools systemd already provides with no code changes (this may have only become possible since this draft was first created).

It's not trivial, but neither is it incredibly complicated. It comes down to setting up a namespace, setting up a template for the systemd-networkd service to use the targeted namespace, and setting up a dbus instance in that namespace as well. You'll also need to mount per-namespace directories over the /run/dbus and /run/systemd/netif directories for the above mentioned per-namespace services. Lastly you would want a per-namespace directory to be mounted over /etc/systemd/network to segregate the interfaces applied to each.

You would use the NetworkNamespacePath= setting and the other security and namespace features from systemd.exec to achieve this.

Perhaps this is a better path forward than trying to revive this

[DemiMarie]

I strongly disagree with this @kniteli. In paticular, I would like the ability to set up all physical devices in a separate network namespace, so that the root namespace can be reserved for a WireGuard VPN tunnel.

[agowa]

@kniteli I also considered something like this in the past. However in practice it interferes way too much with systemd-networkd, systemd-udevd, and anything that already ships with a configuration for either JoinsNamespaceOf=, PrivateNetwork=, or NetworkNamespacePath= (not to mention issues with drop-in files and their hierarchy).
But maybe you're able to provide a good sane way that'll also work with netdev and link units.

What I tried so far (and thereby you also see how hack working around the missing network namespace support in systemd-network is):

1. Create a top-level drop-ins for services and sockets /etc/systemd/system/service.d/netns.conf (aka. /etc/systemd/system/socket.d/netns.conf) with JoinsNamespaceOf=myNetwork.service, Requires=myNetwork002.service, and After=myNetwork002.service
2. Create a dummy myNetwork001.service unit file with e.g. Type=OneShot, DefaultDependencies=no, ExecStart=/bin/true, RemainAfterExit=yes, and PrivateNetwork=yes.
3. Create an overwriting drop-in file for myNetwork001.service (and myNetwork002.service) to prevent the global one from being also applied to it by creating /etc/systemd/system/myNetwork001.service.d/netns.conf (aka. /etc/systemd/system/myNetwork002.service.d/netns.conf) with content JoinsNamespaceOf=-.
4. (The part I didn't fully figure out and did manually for testing), create a systemd-udevd drop-in that moves all network interface devices upon being connected to the system [BEFORE they ever show up in any other namespace, including the root one] into the myNetwork001.service network namespace.
5. Create a service that moves all already existing physical interfaces (e.g. created by the kernel before systemd-udevd was started) into the myNetwork001.service-namespace. e.g. Create a myNetwork002.service with Requires=myNetwork001.service, After=myNetwork001.service, Type=OneShot, DefaultDependencies=no, RemainAfterExit=yes, ExecStart=/bin/true, and one ExecStartPre=/usr/bin/ip link set "$ifname" netns "$target_ns" per physical interface. Ideally ExecStart= just calls a script (needs to be (ideally) available within the initrd, aka. there is a bit more to it). That script would then first query all existing physical links and run the above ip-command for each of them (Note: I did not yet find a good and stable way to reference the network namespace of myNetwork001.service for the $target_ns argument required by the ip-command.
6. Now reboot the system and see how systemd-networkd will mess everything up again (as long as you don't patch each and every network unit too).

Instead of 6 I also tried hacking it into the initrd systemd startup and hackisly insert a nsenter before the main systems systemd-init PID 1 is getting executed by systemctl --no-block switch-root aka. initrd-switch-root.service. This had better compatibility with applications and other systemd-components but the startup itself was still quite fragile and unreliable. Also it caused all newly attached physical devices appeared to never become available (I probably missed something in the handover between the kernel and systemd-udevd and they probably were in the root namespace that systemd-init itself and therefore also systemd-udevd no longer had access to).

So year, it can be hacked but that's mostly working around systemd instead of working with systemd...