Discussion:
Run a separate instance of systemd-networkd in a namespace?
Add Reply
Dmitrii Sutiagin
2017-05-26 18:44:20 UTC
Reply
Permalink
Raw Message
Hi everyone,

I'm trying to set up a VPN in a namespace, so I could use my base
network connection as usual and at the same time spawn console or
browser in that namespace where VPN is running. So far I've sorted out
everything except DNS resolution. Inside namespace there is no
systemd-networkd, so if my /etc/resolv.conf does not contain a valid
external DNS server then DNS inside the namespace does not work. And
since VPN tries to dynamically update /etc/resolv.conf (and with latest
vpnc-script updates - actually communicates with systemd-resolved via
busctl), I should not hardcode values in there. Openconnect inside a
namespace is able to (somehow) talk with root namespace's
systemd-networkd via busctl but systemd-resolved reports that "link X is
not known", which is probably expected - this link is inside the
namespace. So my ask is - can I somehow use systemd-resolved with such
setup? I tried starting a separate process of systemd-resolved inside
namespace directly and got:

-------------------------------------
...
Failed to register name: File exists
Could not create manager: File exists
-------------------------------------

Can I somehow change the dbus name used by resolved, and this way I
could edit vpnc-script to use the modified name..? Looks like it's not
possible but maybe I overlooked something.

Please share your thoughts!
Lennart Poettering
2017-05-29 13:11:06 UTC
Reply
Permalink
Raw Message
Post by Dmitrii Sutiagin
Hi everyone,
I'm trying to set up a VPN in a namespace, so I could use my base network
connection as usual and at the same time spawn console or browser in that
namespace where VPN is running. So far I've sorted out everything except DNS
resolution. Inside namespace there is no systemd-networkd, so if my
/etc/resolv.conf does not contain a valid external DNS server then DNS
inside the namespace does not work. And since VPN tries to dynamically
update /etc/resolv.conf (and with latest vpnc-script updates - actually
communicates with systemd-resolved via busctl), I should not hardcode values
in there. Openconnect inside a namespace is able to (somehow) talk with root
namespace's systemd-networkd via busctl but systemd-resolved reports that
"link X is not known", which is probably expected - this link is inside the
namespace. So my ask is - can I somehow use systemd-resolved with such
setup? I tried starting a separate process of systemd-resolved inside
-------------------------------------
...
Failed to register name: File exists
Could not create manager: File exists
-------------------------------------
Can I somehow change the dbus name used by resolved, and this way I could
edit vpnc-script to use the modified name..? Looks like it's not possible
but maybe I overlooked something.
Please share your thoughts!
Sorry, but this is not supported. Both resolved assume that the IPC
and /run context they run in and the network namespace they run in are
matching. There's no support for mixing and matching them in arbitrary
ways, and it's unlikely this will ever be supported.

I am sorry,

Lennart
--
Lennart Poettering, Red Hat
Loading...