On Sat, Jan 18, 2014 at 7:45 AM, Peeters Simon <peeters.si...@gmail.com> wrote:
> 2014/1/18 Alex Polvi <a...@polvi.net>:
>> Hello,
>>
>> Is there a way to have a .socket bind in a particular network
>> namespace? The use case is to have a container with isolated
>> networking be able to start a service, or tunnel to a remote service,
>> that exists outside the containers namespace.
>>
>> Thank you for any leads. I could not find anything related to this in
>> the documentation.
>>
>> Regards,
>>
>> -Alex
>
> just wondering, does "JoinsNamespaceOf=" work for this?
> If it doesn't can it be extended to support this situation?
Just tried it out, and it appears that it does not work for sockets.
$ cat test.service
[Service]
ExecStart=/usr/bin/sleep 30000
PrivateNetwork=true
$ cat join.service
[Service]
ExecStart=/usr/bin/sleep 3000
$ cat join.socket
[Unit]
JoinsNamespaceOf=test.service
[Socket]
ListenStream=8080
$ systemctl status join.socket
join.socket
Loaded: loaded (/run/systemd/system/join.socket; static)
Active: active (listening) since Sat 2014-01-18 19:10:58 UTC; 1min 46s ago
Listen: [::]:8080 (Stream)
Jan 18 19:10:58 localhost systemd[1]: Starting join.socket.
Jan 18 19:10:58 localhost systemd[1]: Listening on join.socket.
$ systemctl status test.service
test.service
Loaded: loaded (/run/systemd/system/test.service; static)
Active: active (running) since Sat 2014-01-18 19:07:45 UTC; 5min ago
Main PID: 567 (sleep)
CGroup: /system.slice/test.service
└─567 /usr/bin/sleep 30000
Jan 18 19:07:45 localhost systemd[1]: Started test.service.
The .socket is still bound on the general namespace
nsenter will join the network namespace of 567 (the sleep process with
PrivateNetworking)
$ sudo nsenter -t 567 -n -- netstat -lnt | grep 8080
$ netstat -lnt | grep 8080
tcp6 0 0 :::8080 :::* LISTEN
The socket is still listening on the host networking.
-Alex
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
