On 06/10/2018 01:13 PM, Grant Taylor wrote:
I'll respond later with more details as to what I do to run various
things in Network Namespaces.
I create the following directories ("mkdir -p" type thing):
- /run/mountns/$NSname
- /run/netns/$NSname
- /utsns/$NSname
First I create the Namespace:
unshare --mount/run/mountns/$NSname --net=/run/netns/$NSname
--uts=/run/utsns/$NSname /bin/true
Then I change the hostname inside of the Namespace:
nsenter --mount/run/mountns/$NSname --net=/run/netns/$NSname
--uts=/run/utsns/$NSname /bin/hostname $NSname
Then I start what ever process I want to inside of the Namespace:
nsenter --mount/run/mountns/$NSname --net=/run/netns/$NSname
--uts=/run/utsns/$NSname /path/to/daemon…
I reuse the nsenter methodology above to go into the Namespace and run
what ever I want. I can enter an interactive shell inside of the
Namespace using the following:
nsenter --mount/run/mountns/$NSname --net=/run/netns/$NSname
--uts=/run/utsns/$NSname /bin/bash
I see no reason that you couldn't run a VPN inside of a Namespace. It
might actually make things easier. The VPN could route everything (from
that Namespace) through the VPN. Then you just need to pick what you
route to the VPN's Namespace.
Note: What I'm doing is quite similar to containers with the major
exception that all of the files are based on the parent (default / main
/ unnamed) Namespace. (It's my understanding that…) Containers use this
same methodology with namespaces, just with a full file system that is
an OS image unto themselves. Which means that they need to be
maintained as separate OS images and have the proper care and feeding.
My preferred method means that the Namespaces inherit all the files from
the parent (…) Namespace. (Sort of like Solaris's sparse zones.)
--
Grant. . . .
unix || die
