netns: Issues with deleting virtual interfaces during namespace cleanup

Ward, David - 0663 - MITLL david.ward at
Sat Feb 26 08:59:27 PST 2011

(Apologies for the cross-post, but Thunderbird messed up the formatting 
when I sent this originally, and then I realized I sent it to the wrong 

A patch was applied to the kernel in November 2008 that deletes virtual 
network interfaces when network namespaces are cleaned up 
(d0c082cea6dfb9b674b4f6e1e84025662dbd24e8).  A discussion about this 
patch took place on this list 
where Daniel Lezcano wrote:

 > After discussing with Benjamin, this patch means an user can no longer
 > manage a pool of virtual devices because they will be automatically
 > destroyed when the namespace exits. I don't think it is a big concern,
 > but just in case I am asking :)

I currently have two use cases where this behavior is not desirable:

   1. I use a veth pair device to connect two containers together (as
      opposed to connecting a container to the host).  To do this, I
      create the veth pair device manually in the host with iproute2
      ("ip link add type veth").  Then when I start each container, it
      pulls in one of the interfaces of the veth pair device with
      " = phys".  When I stop one of the containers, its
      interface to the veth pair device is deleted instead of moved back
      to the host, so I can not just start the stopped container again
      and re-establish the same link.
   2. I start a process in the host that creates a TUN/TAP interface,
      such as a VPN client.  I pull the TUN/TAP interface into the
      container with " = phys".  When the container
      exits, the TUN/TAP interface is deleted because it is a virtual
      interface, while the VPN client process continues to run in the
      host.  Again I can not just start the container again with the
      same connection; I have to restart the VPN client.

It makes sense that virtual network interfaces that get created inside a 
container should be deleted when the container exits.  However, I feel 
that network interfaces from the host that get assigned to the container 
should be returned to the host when the container exits, whether they 
are physical or virtual.

Can the kernel distinguish between network interfaces that were created 
inside the namespace, and network interfaces that were moved there?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5650 bytes
Desc: S/MIME Cryptographic Signature
Url : 

More information about the Containers mailing list