From 63a464431bfa4168d381901c62e51048113d130c Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Tue, 3 Nov 2020 21:54:13 +0100 Subject: [PATCH 1/2] netns: fail when netns already exists Under normal circumstances, service-specific netns should never exist before the netns setup service starts. An existing netns is a genuine error that should not be silently ignored. --- modules/netns-isolation.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index 9f49cef..d29d7a7 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -152,7 +152,6 @@ in { requiredBy = bindsTo; before = bindsTo; script = '' - ${ip} netns delete ${netnsName} 2> /dev/null || true ${ip} netns add ${netnsName} ${ipNetns} link set lo up ${ip} link add ${veth} type veth peer name ${peer} From 0972af55f16815c61626359be71cacf650d6400d Mon Sep 17 00:00:00 2001 From: Erik Arvstedt Date: Tue, 3 Nov 2020 21:54:14 +0100 Subject: [PATCH 2/2] netns: fix setup service restarts --- modules/netns-isolation.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/netns-isolation.nix b/modules/netns-isolation.nix index d29d7a7..915852c 100644 --- a/modules/netns-isolation.nix +++ b/modules/netns-isolation.nix @@ -172,8 +172,13 @@ in { ${netnsIptables} -w -A INPUT -s ${allowedAddresses} -j ACCEPT ${netnsIptables} -w -A OUTPUT -d ${allowedAddresses} -j ACCEPT ''; + # Link deletion is implicit in netns deletion, but it sometimes only happens + # after `netns delete` finishes. Add an extra `link del` to ensure that + # the link is deleted before the service stops, which is needed for service + # restart to succeed. preStop = '' ${ip} netns delete ${netnsName} + ${ip} link del ${peer} 2> /dev/null || true ''; serviceConfig = { Type = "oneshot";