[systemd-devel] Run service in netns w/ interfaces
I am setting up a fairly complex virtualized network environment, in
order to do some testing. As part of this, I need to run ISC dhcrelay
in a "vrouter" network namespace, into which I have moved a couple of
network interfaces (OVS ports).
I originally tried to do this with a single .service file, using
'ip netns ...' commands to do everything. Unfortunately, it turns out
that this doesn't work on CentOS 7, as it runs afoul of SELinux.
type=AVC msg=audit(1527809769.297:112): avc: denied { execute } for
pid=1439 comm="ip" name="dhcrelay" dev="dm-0" ino=134953194
scontext=system_u:system_r:ifconfig_t:s0
tcontext=system_u:object_r:dhcpd_exec_t:s0 tclass=file
Googling for a solution led me to this:
https://github.com/systemd/systemd/issues/2741#issuecomment-336736214
With some fixups (executable locations & %i/%I), I was able to come up
with a solution, but it requires 3 separate unit files. (I had to add
an additional service to actually move the OVS ports into the network
namespace.)
netns@.service:
---
[Unit]
Description=Named network namespace %i
StopWhenUnneeded=true
[Service]
Type=oneshot
RemainAfterExit=yes
# Ask systemd to create a network namespace
PrivateNetwork=yes
# Ask ip netns to create a named network namespace
# (This ensures that things like /var/run/netns are properly setup)
ExecStart=/sbin/ip netns add %i
# Drop the network namespace that ip netns just created
ExecStart=/bin/umount /var/run/netns/%i
# Re-use the same name for the network namespace that systemd put us in
ExecStart=/bin/mount --bind /proc/self/ns/net /var/run/netns/%i
# Clean up the name when we are done with the network namespace
ExecStop=/sbin/ip netns delete %i
osp-provisioning-interfaces.service:
[Unit]
Requires=netns@osp-provisioning.service
After=netns@osp-provisioning.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/ip link set ovs1.19 netns osp-provisioning
ExecStart=/usr/sbin/ip link set ovs2.19 netns osp-provisioning
osp-provisioning-router.service:
[Unit]
Description=vRouter and DHCP relay for OSP provisioning network
Wants=network-online.target
After=network-online.target
Requires=netns@osp-provisioning.service
After=netns@osp-provisioning.service
JoinsNamespaceOf=netns@osp-provisioning.service
Requires=osp-provisioning-interfaces.service
After=osp-provisioning-interfaces.service
[Service]
Type=simple
PrivateNetwork=yes
ExecStartPre=/usr/sbin/ifconfig ovs1.19 192.168.19.254/24
ExecStartPre=/usr/sbin/ifconfig ovs2.19 192.168.119.254/24
ExecStartPre=/usr/bin/bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
ExecStart=/usr/sbin/dhcrelay -d -i ovs2.19 192.168.19.1 192.168.19.101
[Install]
WantedBy=multi-user.target
Needless to say, this doesn't exactly feel elegant or efficient. Is
there a better way?
--
Ian Pilcher arequip...@gmail.com
"I grew up before Mark Zuckerberg invented friendship"
___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Systemd target doesn't not anymore propagate "restart" to PartOf "services"
Hello, I already send this issue on the debian maintainers mailing list for systemd, but i think now this where not the place to. It seem to me that look like to be a regression between debian 8 and 9 specifically on systemd version (from 215 to 232), but maybe have I miss a change in the release note ? I experiment a different behaviour between the systemd version on jessieand stretch. I have tested this setup on a debian jessie (x86 and armhf) and on a debianstretch (x86 and armhf) On jessie my version of systemd is 215 (from repository) On stretch my version of systemd is 232 (from repository) I have the following systemd target : sample-services.target [Unit] Description=A Sample Services Target Requires=multi-user.target After=multi-user.target [Install] WantedBy=multi-user.target === EOF === And the following service : sample-services1.service [Unit] Description=A Sample service After=network.target remote-fs.target nss-lookup.target PartOf=sample-services.target [Service] Type=simple ExecStart=/bin/sh -c 'echo Hello' [Install] WantedBy=multi-user.target === EOF === On a Debian 8 system and according to systemd manual, issuing a "systemctl restart" or "systemctl stop" on "sample-services.target" propagate action on "PartOf" services. I use and validate this behaviour on a Debian 8 x86 and armhf. The propagation of the "restart" action is no longer working on debian 9 system (x86 and armhf). "stop" action is still propagate. I couldn't find any information about this difference of behaviour on systemd release note neither on the systemd debian bug tracker. Have I misunderstood the manual, miss a release note or is this a regression ? Thanks Simon Tropée ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Does "runlevel" ever show 6 as the current runlevel?
Hi folks, I know runlevel is a out-of-date concept, but I am still a bit curious about the current support of runlevel in systemd. If I understand correctly, the runlevel is updated via "systemd-update-utmp". After I check the source code, I think "systemd-update-utmp" has the following behavior: - "systemd-update-utmp reboot": update with ut_type=BOOT_TIME and ut_pid=0. - "systemd-update-utmp shutdown": update with ut_type=RUN_LVL and ut_pid=0. - "systemd-update-utmp runlevel": update with ut_type=RUN_LVL and ut_pid=(runlevel, prev-runlevel), where runlevel may be 1, 3, 5. Since I didn't see the runlevel will be updated to 6 anywhere, may I ask if the current behavior of "runlevel" command will show 6, indicating that the system is rebooting? Thank you. John Lin ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
