Name the network namespace in one step

[evanlinde]

The following lines from [email protected] can be replaced with the single command ip netns attach %I {pid} (using any pid in the service's network namespace) whenever it's safe to depend on iproute2 5.x.

Existing lines:

ExecStart=/usr/bin/flock --no-fork -- /var/run/netns.lock /usr/bin/env ip netns add %I
ExecStart=/usr/bin/env umount /var/run/netns/%I
ExecStart=/usr/bin/env mount --bind /proc/self/ns/net /var/run/netns/%I

Replacement:

ExecStart=/usr/bin/env sh -c '/usr/bin/env ip netns attach %I $$$$'

(Systemd parses $$ down to $, so $$$$ lets the shell process see $$.)

The ip netns attach command was committed in early 2019 (see https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=e3dbcb2a12ab1bda3de6f9f61f4dfca182ec8a4c), so there are still supported systems (e.g. RHEL/CentOS 7.x) that don't have it.

SELinux didn't like the netns bind mount on my system, but didn't complain about ip netns attach.

[Jamesits]

Thank you for the information! This script dates back to 2017 so I didn't have these commands at the time of writing. I'll have a look at the implementation of ip netns attach.