The ip netns
creates the reference to the (named) network namespace in /var/run/ns
, which could be easily tracked. Also, the same could be determined through /proc/[pid]/ns/net
. However, it is possible for some custom program to create a net ns and save the corresponding inode at some other unconventional location. This can make it difficult to determine if or not there are net ns that we could list out.
Secondly, unshare <cmd>
destroys the net ns when the process exits, which is fine. However, ip netns exec <netns> <cmd>
will keep the ns even after the command/process exits. So I believe, it could be possible for any custom program to do the same.
Hence, the question is: Is it possible that a custom program creates an unnamed net ns, and it is left unassociated with any process?
Furthermore, is it possible to list out such (hidden) net ns from user-space, given that we do not know the paths to the inodes? (The kernel of course has a linked list of the net ns) A code snippet will be helpful.
Linux network namespaces are a Linux kernel feature allowing us to isolate network environments through virtualization. For example, using network namespaces, you can create separate network interfaces and routing tables that are isolated from the rest of the system and operate independently.
ip netns list - show all of the named network namespaces This command displays all of the network namespaces in /var/run/netns ip netns add NAME - create a new named network namespace If NAME is available in /var/run/netns this command creates a new network namespace and assigns NAME.
Creating a separate mount namespace allows each of these isolated processes to have a completely different view of the entire system's mountpoint structure from the original one. This allows you to have a different root for each isolated process, as well as other mountpoints that are specific to those processes.
There are seven common types of namespaces in wide use today. Using the apartment as our guide, let's walk through a summary of what each type does. Below is a brief overview of each namespace type.
Is it possible that a custom program creates an unnamed net ns, and it is left unassociated with any process?
Yes it's possible. According to Linux namespaces man page (http://man7.org/linux/man-pages/man7/namespaces.7.html):
Each process has a /proc/[pid]/ns/ subdirectory containing one entry for each namespace that supports being manipulated by setns(2):
Bind mounting (see mount(2)) one of the files in this directory to somewhere else in the filesystem keeps the corresponding namespace of the process specified by pid alive even if all processes currently in the namespace terminate.
About the other question:
is it possible to list out such (hidden) net ns from user-space, given that we do not know the paths to the inodes?
If you consider the above quote from the first question, by examining bound paths you should be able to find those hidden namespaces.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With