4

I'm trying to launch an app inside a network namespace from a systemd service. I tried using NetworkNamespacePath= but when I use it all network requests fail. If I launch the app in ExecStart using ip netns exec it works, but it's not very clean and I have to reset the user using sudo. What am I doing wrong with NetworkNamespacePath=?

I don't think it should matter much but I'm running Ubuntu Server 20.04 LTS. This is my service file.

[Unit] Description=My Service # netns.service sets up the network namespace After=network-online.target netns.service Requires=network-online.target netns.service [Service] Type=simple # The following doesn't work, app starts but every network request fails NetworkNamespacePath=/run/netns/mynetns User=user Group=user ExecStart=/usr/bin/app # If I change it to this, it works ExecStart=/usr/sbin/ip netns exec mynetns sudo -u user /usr/bin/app [Install] WantedBy=multi-user.target
Improve this question

1 Answer 1

Reset to default
4

It is likely related to DNS, or at least was for me in the same scenario. The default system resolver may not be accessible from the network namespace.

As noted in the man page, ip netns exec automatically creates namespace-specific configuration bind mounts which will not be reproduced by your systemd unit:

For applications that are aware of network namespaces, the convention is to look for global network configuration files first in /etc/netns/NAME/ then in /etc/. For example, if you want a different version of /etc/resolv.conf for a network namespace used to isolate your vpn you would name it /etc/netns/myvpn/resolv.conf.

ip netns exec automates handling of this configuration, file convention for network namespace unaware applications, by creating a mount namespace and bind mounting all of the per network namespace configure files into their traditional location in /etc.

Therefore, if you have set a custom resolver in /etc/netns/mynetns/resolv.conf, you must bind it in the service file:

[Service] NetworkNamespacePath=/run/netns/mynetns BindReadOnlyPaths=/etc/netns/mynetns/resolv.conf:/etc/resolv.conf
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.