Run systemd service in network namespace

mth · June 14, 2019, 3:59pm

I could prepend ip netns exec xx where applicable (e.g. serviceConfig.ExecStart). But ip netns requires root privileges. What can I do if serviceConfig.User isn’t "root"?

azazel75 · June 14, 2019, 9:49pm

maybe using JoinNamespaceOf (see man systemd.unit) on another unit that is running as root ?

mth · June 15, 2019, 2:17pm

@azazel75 thanks a lot! got it working:

{ config, pkgs, lib, ... }: {
  systemd.services."netns@" = {
    description = "%I network namespace";
    before = [ "network.target" ];
    serviceConfig = {
      Type = "oneshot";
      RemainAfterExit = true;
      PrivateNetwork = true;
      ExecStart = (pkgs.writeScript "netns-up" ''
        #! ${pkgs.bash}/bin/bash
        ${pkgs.iproute}/bin/ip netns add $1
        ${pkgs.utillinux}/bin/umount /var/run/netns/$1
        ${pkgs.utillinux}/bin/mount --bind /proc/self/ns/net /var/run/netns/$1
      '') + " %I";
      ExecStop = "${pkgs.iproute}/bin/ip netns del %I";
    };
  };
}

Any systemd.services.<name> can join with:

bindsTo = [ "netns@wg.service" ];
after = [ "netns@wg.service" ];
unitConfig.JoinsNamespaceOf = "netns@wg.service";
serviceConfig.PrivateNetwork = true;

stolen from Access mounted (ip netns ...) network namespaces. · Issue #2741 · systemd/systemd · GitHub

mth · June 15, 2019, 2:26pm

I might write a blog post soon about using this to sandbox services in a network namespace with wireguard, since I have a working setup.

mth · August 28, 2019, 12:20pm

ok, here we go:

arianvp · August 28, 2019, 3:45pm

For your interest, in NixOS 19.09 you’ll be able to directly specify the netns for a service to Join

github.com

systemd/systemd/blob/4b259b3c63eeefe4cd52fa3b169b1ca4b19f13e9/NEWS#L525-L527


      
          * A new unit setting NetworkNamespacePath= may be used to specify a
            namespace for service or socket units through a path referring to a
            Linux network namespace pseudo-file.

So this could simplify your code a bit

# netns@.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=${pkgs.iproute}/bin/ip netns add %I
ExecStop=${pkgs.iproute}/bin/ip netns del %I

# myservice.service
[Unit]
BindsTo=netns@wg.service
After=netns@wg.service
NetworkNamespacePath=/var/run/netns/wg
[Service]
ExecStart=myservice

cladmi · December 24, 2019, 2:39pm

This one must be changed to move NetworkNamespacePath into the [Serice] section as when it is in [Unit] you get an Unknown key name ‘NetworkNamespacePath’ in section ‘Unit’, ignoring warning in the log.

With the modification it works like a charm thank you for documenting it.

nh2 · September 6, 2022, 2:41am

Correcting a typo: This should be JoinsNamespaceOf, with an s.

This mistake made it into examples/mautrix.nix · ff782189f05f48f28a8292b0e3c9bb579ebe93e5 · Coffee Tables / nix-matrix-appservices · GitLab