CLONE_NEWNET + unix domain sockets

Alex Bligh alex at alex.org.uk
Mon Apr 25 07:43:34 PDT 2011



--On 25 April 2011 09:12:28 -0500 Serge Hallyn <serge.hallyn at canonical.com> 
wrote:

> Nope, while there have been discussions about the right thing to do,
> last I knew unix domain sockets were completely tied to the network
> namespace.

OK

> Sockets, like file descriptors, persist as handles in the namespace
> in which they were created.
...
> Likewise, if you connect a socket before CLONE_NEWNET, then you
> can continue to use it after CLONE_NEWNET.  This is by design.  A
> server can (and some do) create hunderds of thousands of network
> namespaces, creating one connected socket in each, with no other
> handle to that ns left other than that socket.

Ah, so the socket persists because of the FD despite its namespace being
unshared, simply because the listen fd persists across the unshare(); I can
thus accept() on a listening socket which is in another namespace, and
generate an fd that works just fine. This what I missed. It is
useful behaviour. Thanks.

-- 
Alex Bligh


More information about the Containers mailing list