CLONE_NEWNET + unix domain sockets

Alex Bligh alex at alex.org.uk
Mon Apr 25 06:56:25 PDT 2011


This is probably a bit of a newbie question, but:

I have a parent and a child process. The child does
  unshare(CLONE_NEWNET)
after the fork(). It does not unshare the filings system
namespace or anything else.

I want the child to expose a unix domain socket, of type SOCK_STREAM.
Both act as servers, i.e. they listen on the service, accept(), then
handle the resultant connections. The socket needs to be accessed
both by the parent and by other processes (preferably processes
with both network namespaces, but primarily from the parent's).

If I create and bind the socket in the child after the unshare(),
then I cannot connect to it from the parent or processes sharing
the parent namespace. This seems surprising, as the documentation
for CLONE_NEWNET suggests only the networking space is separated,
and that would not normally appear to include UNIX domain sockets
(I would have thought they would be CLONE_NEWNS or CLONE_NEWIPC).

If I'm wrong in this assumption, and CLONE_NEWNET should isolate
unix domain sockets, something surprising still happens: if I create
the listen socket before the CLONE_NEWNET, then everything
works as intended, even though I am creating new fds via
accept() after the unshare(), i.e. the unix domain socket space
does not appear to be isolated.

It appears to be working by doing:
  bind()
  listen()
  unshare()
  accept()

but I don't understand why, or what the semantics are for interaction
between unshare(CLONE_NEWNET) and unix domain sockets. Any ideas?

-- 
Alex Bligh


More information about the Containers mailing list