20180128

Sun Jan 28 08:54:12 EST 2018 Slept from one-thirty to eight-thirty. High of forty and partly sunny today. Goals: - Continue work on Nanook network namespaces Done. - Call mom Done. - D&D at Scott's place No. Karina and Steven backed out of the game at the last minute, and Scott didn't want to host for just Ed and me. Bums. Got network namespaces working on Nanook. Realized I don't need a different subnet for the new namespace, which simplifies things. --- nanook ~ $ cat bin/netns-vpn-up #!/bin/sh set -uf #--------------------------------------------------------------------------- # Create a private network namespace for OpenVPN and things that need to # use the VPN, like Unbound. Start things to be VPN'd like: # # ip netns exec vpn mycommand #--------------------------------------------------------------------------- ns="vpn" ip netns add "$ns" ip netns exec "$ns" ip li set dev lo up ip link add veth0 type veth peer name veth1 ip link set veth1 netns "$ns" ip li set up dev veth0 ip netns exec "$ns" ip addr add 10.0.0.3/24 dev veth1 ip netns exec "$ns" ip li set up dev veth1 ip netns exec "$ns" ip ro add default via 10.0.0.1 dev veth1 ip link set dev veth0 master br0 Now, to set OpenVPN and Unbound to actually use the new namespace.... Here, Poettering better explains the limits of systemd and netns: https://github.com/systemd/systemd/issues/3939#issuecomment-239107625 > network namespaces are a kernel feature, and if used mean that network devices exist in precisely one network namespace (with exception of the loopback device). That means: systemd on the host knows nothing about and cannot see network devices inside of namespaces, and systemd running inside of one of those namespaces can't see the network devices of the host. > This is a by design of the kernel, and thus systemd cannot track the state of a device in another namespace, and really shouldn't even if it could. # cp /lib/systemd/system/unbound.service /etc/systemd/system/ # vim /etc/systemd/system/unbound.service ExecStartPre=-/home/paulgorman/bin/netns-vpn-up ExecStart=-/bin/ip netns exec vpn /usr/sbin/unbound -d $DAEMON_OPTS # systemctl stop unbound # systemctl daemon-reload # systemctl start unbound Remember to update the DHCP server and firewall rules with the new DNS server IP address! Unbound runs over the VPN, and SSH to Nanook works. Not bad. See `runbook-nanook-debian.txt` for additional details. Thirty-minute walk. Barely any snow left. Nice to see quite a few people enjoying Beverly Park. Wrote up a blog post about network namespaces: https://paulgorman.org/technical/blog/20180128152453.html Lunch: coffee, carrots, macaroni Dinner: Philly cheesesteak

< ^ txt