Discussion:
using nsenter and running daemon within a namespace
(too old to reply)
Shea Sullivan
2018-10-26 22:54:52 UTC
Permalink
Hi,
I am trying to set up systemd unit files for a couple of daemons that
need to run within a specific network namespace. Specifically, I have
a namespace called ABC that is tied to the secondary VNIC on my
machine (ens4) while the default namespace is plumbed to the primary
VNIC (ens3). So it looks like this:

Primary:
# ip link show dev ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP
mode DEFAULT group default qlen 1000

Secondary/ABC namespace:
# ip netns exec ABC ip link show dev ens4
3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP
mode DEFAULT group default qlen 1000

Since the 2nd VNIC is connected to a different network, I want a few
of my internal services to run _there_ instead of in the default.

So here's my question:
when I set up my service file, I understand I need to give the path to
the daemon with
ExecStart=
```Unless Type= is oneshot, exactly one command must be given. ```

What do you suggest if I want to run my command like this:
/bin/nsenter -t {PID} -m -n /usr/bin/squid

where squid (for example) is the daemon itself; but nsenter allows me
to run it in that namespace?

Just confused about whether that's technically one command or not...
can I still use Type=Simple?

Thanks in advance,

Shea
Mantas Mikulėnas
2018-10-27 18:37:10 UTC
Permalink
Post by Shea Sullivan
Hi,
I am trying to set up systemd unit files for a couple of daemons that
need to run within a specific network namespace. Specifically, I have
a namespace called ABC that is tied to the secondary VNIC on my
machine (ens4) while the default namespace is plumbed to the primary
# ip link show dev ens3
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP
mode DEFAULT group default qlen 1000
# ip netns exec ABC ip link show dev ens4
3: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc mq state UP
mode DEFAULT group default qlen 1000
Since the 2nd VNIC is connected to a different network, I want a few
of my internal services to run _there_ instead of in the default.
when I set up my service file, I understand I need to give the path to
the daemon with
ExecStart=
```Unless Type= is oneshot, exactly one command must be given. ```
/bin/nsenter -t {PID} -m -n /usr/bin/squid
where squid (for example) is the daemon itself; but nsenter allows me
to run it in that namespace?
Just confused about whether that's technically one command or not...
It is.
Post by Shea Sullivan
can I still use Type=Simple?
Usually `nsenter` directly exec()'s the main program. So the correct type
remains exactly the same as with plain Squid.
--
Mantas Mikulėnas
Continue reading on narkive:
Loading...