Re: [systemd-devel] namespace problem

Thu, 18 Jul 2024 03:19:05 -0700 

Would really like to see the contents of the .service file. Does it use any
hardening options at all?

On Thu, Jul 18, 2024 at 10:49 AM Thomas Köller <tho...@koeller.dyndns.org>
wrote:

> Hi,
>
> I have a problem creating a namespace from a systemd service. The
> service (type oneshot) invokes a shell script containing these two lines:
>
>      ip netns add vpnlink
>      iw phy phy0 set netns name vpnlink
>
> Both commands succeed, meaning they do not return an error, and so the
> service start is successful. However, the newly created network
> namespace is apparently unusable. Invoking the script from a root shell
> outside of the systemd service successfully creates the namespace. The
> log below illustrates the problem:
>
> root@htpc:~/netsu# ip netns list
> root@htpc:~/netsu# ./netsu
> root@htpc:~/netsu# ip netns list
> vpnlink (id: 0)
> root@htpc:~/netsu# ip netns exec vpnlink ip link show
> 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group
> default qlen 1000
>      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> 4: wlan_usb: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode
> DEFAULT group default qlen 1000
>      link/ether 00:0f:60:06:7f:3b brd ff:ff:ff:ff:ff:ff
> root@htpc:~/netsu# ip netns del vpnlink
> root@htpc:~/netsu# ip netns list
> root@htpc:~/netsu# systemctl restart network-setup.service
> root@htpc:~/netsu# systemctl status network-setup.service
> ● network-setup.service
>       Loaded: loaded (/etc/systemd/system/network-setup.service;
> enabled; preset: disabled)
>      Drop-In: /usr/lib/systemd/system/service.d
>               └─10-timeout-abort.conf
>       Active: active (exited) since Thu 2024-07-18 09:34:55 CEST; 14s ago
>      Process: 3320 ExecStart=/root/netsu/netsu (code=exited,
> status=0/SUCCESS)
>     Main PID: 3320 (code=exited, status=0/SUCCESS)
>          CPU: 29ms
>
> Jul 18 09:34:55 htpc systemd[1]: Starting network-setup.service...
> Jul 18 09:34:55 htpc systemd[1]: Finished network-setup.service.
> root@htpc:~/netsu# ip netns list
> Error: Peer netns reference is invalid.
> Error: Peer netns reference is invalid.
> vpnlink
> root@htpc:~/netsu# ip netns exec vpnlink ip link show
> setting the network namespace "vpnlink" failed: Invalid argument
> root@htpc:~/netsu# ip netns del vpnlink
>
> Am I missing something? Of course, the process running the root shell
> invoked from the command line is ultimately also a child of systemd,
> which is the system's init process.
>


-- 
Mantas Mikulėnas

Reply via email to