3

I'm trying to launch an app inside a network namespace from a systemd service. I tried using NetworkNamespacePath= but when I use it all network requests fail. If I launch the app in ExecStart using ip netns exec it works, but it's not very clean and I have to reset the user using sudo. What am I doing wrong with NetworkNamespacePath=?

I don't think it should matter much but I'm running Ubuntu Server 20.04 LTS. This is my service file.

[Unit]
Description=My Service
# netns.service sets up the network namespace
After=network-online.target netns.service
Requires=network-online.target netns.service

[Service]
Type=simple


The following doesn't work, app starts but every network request fails


NetworkNamespacePath=/run/netns/mynetns
User=user
Group=user
ExecStart=/usr/bin/app


If I change it to this, it works


ExecStart=/usr/sbin/ip netns exec mynetns sudo -u user /usr/bin/app


[Install]
WantedBy=multi-user.target
Fr3ddyDev
  • 131

1 Answers1

4

It is likely related to DNS, or at least was for me in the same scenario. The default system resolver may not be accessible from the network namespace.

As noted in the man page, ip netns exec automatically creates namespace-specific configuration bind mounts which will not be reproduced by your systemd unit:

For applications that are aware of network namespaces, the convention is to look for global network configuration files first in /etc/netns/NAME/ then in /etc/. For example, if you want a different version of /etc/resolv.conf for a network namespace used to isolate your vpn you would name it /etc/netns/myvpn/resolv.conf.

ip netns exec automates handling of this configuration, file convention for network namespace unaware applications, by creating a mount namespace and bind mounting all of the per network namespace configure files into their traditional location in /etc.

Therefore, if you have set a custom resolver in /etc/netns/mynetns/resolv.conf, you must bind it in the service file:

[Service]
NetworkNamespacePath=/run/netns/mynetns
BindReadOnlyPaths=/etc/netns/mynetns/resolv.conf:/etc/resolv.conf
sjy
  • 209
Almighty
  • 41