Snappy

Please support network namespaces in an interface

Bug #1624675 reported by Jamie Strandboge on 2016-09-17

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Fix Released	High	Jamie Strandboge

Bug Description

Tracking bug to allow snaps to create network namespaces that can be used by the system and other snaps.

Tags:

Jamie Strandboge (jdstrand) on 2016-09-17

tags:	added: snapd-interface
Changed in snappy:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2016-09-17:

This feels blocked by bidirectional mount propagation events as otherwise no matter what one snap creates no other snap can see. I would like to do this after we sort out more flexible mount namespace configuration in snap-confine.

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2016-11-25:

This is no longer blocked and we have a plan on how to implement it (via bidirectionally mounted directory that "ip netns" uses.

Revision history for this message

Zygmunt Krynicki (zyga) wrote on 2016-11-25:

Thinking about this I think we should do the same for the network namespace to what we do to the mount namespace. We could use it to let snaps "reign free" in their namespace if their want to (using raw low level tools and appropriate interfaces) or let snapd manage it (e.g. with mandatory firewall, etc). What do you think Jamie?

Jamie Strandboge (jdstrand) on 2016-12-07

Changed in snappy:
assignee:	nobody → Jamie Strandboge (jdstrand)
status:	Triaged → In Progress

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-12-08:

Zygmunt, what you suggested in comment #3 is a different feature (per-snap network namespaces). This bug is about having an interface that allows a snap to manage network namespaces for the system and for other snaps to use. As such, let's keep snaps in the global network namespace and focus on letting snaps add, remove and attach to network namespaces via the 'ip netns' command (the standard tool for managing network namespaces). In that light, preliminary testing shows that using the bidirectional mount work you did for /media for /run/netns works.

As for per-snap namespaces, I'd rather not go that route until we have a clear need since it will immensely complicate network management, snap connections and general integration of snaps into the system. We'll have fine-grained network mediation in AppArmor in the fullness of time and between that feature and fixing this bug, that should cover pretty much everything we need for network mediation of snaps while still having them properly integrate into the system. If there are use cases beyond those that require per-snap network namespaces, we can investigate them when they arise and build on what we learn here.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-12-10:

https://github.com/snapcore/snapd/pull/2450

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-12-14:

FYI, this is now supported in master via the 'network-control' interface. During PR review, Gustavo and I agreed that this didn't need to be broken out into a separate interface after all.

summary:	- Please add network-namespace interface + Please support network namespaces in an interface
Changed in snappy:
status:	In Progress → Fix Committed

Jean-Baptiste Lallement (jibel) on 2016-12-16

no longer affects:

snapd (Ubuntu)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2017-01-05:

2.20 fixes this issue as described in comment #6.

Changed in snappy:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1645407

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.