Access a single port in the root namespace from inside namespace

[mgaulton]

Hey, I've run into something interesting where I have a tool that needs to access to both the service inside and a different service on the outside of the namespace. I've exposed the namespace service ports IN the root namespace, so I need to be launching the processes external to the namespace, from inside.

App launches external process that checks files and communicates status of download to both the App and the App in the root namespace. Currently, App in the root namespace is invisible. I"ve attempted to find a socat config to expose just that one port, but not having luck.

I'm using a socat config to expose the namespace ports to the root namespace for the control interfaces.

I can't find if there's a way to launch an external process in a different namespace from inside the namespace. ip netns only lists the vpn namespace as available.

ip netns exec - where - is a reference to the root namespace.

any thoughts?

[slingamn]

To reenter the root namespace, you need something like nsenter -m -n -t 1 -- mycommand. See man 1 nsenter for details.

You can use socat with unix domain sockets to cross network namespace boundaries, although it's a bit awkward and I can't find the recipe I was using. Try modifying the examples here: https://stackoverflow.com/questions/2149564/redirecting-tcp-traffic-to-a-unix-domain-socket-under-linux

[mgaulton]

so this works so far. I think iw as down the same path as you. I hadn't thought of nsenter, derp. Thank you for that.

https://coderwall.com/p/c3wyzq/forwarding-tcp-traffic-to-a-unix-socket as long as its from inside.

ip netns exec vpn socat -d -d -lf /tmp/socatinside.log TCP4-LISTEN:8182,reuseaddr,fork,tcpwrap=socat UNIX-CONNECT:/home/vpnuser/sbsocket &

[mgaulton]

I may have spoken too soon, its not working lol Deluge calls nzbToMedia but it can't talk to SickChill :(

[chros73]

Can't they be configured to use sockets instead of ports?

[mgaulton]

Not that I've noticed. Or i don't know how to do it.

[mgaulton]

This seems to be doing the trick now, keeping an eye on it.

remotehost$

ip netns exec vpn socat TCP-LISTEN:8182,fork,reuseaddr UNIX-CONNECT:/home/vpnuser/sbsocket &

localhost$

socat UNIX-LISTEN:/home/vpnuser/sbsocket,fork,reuseaddr TCP:localhost:8182 &

[mgaulton]

After having used this for a period of time, the socat config above performs the task. Thank you.

[mgaulton]

So after running this config for a while, i'm finding it doesn't seem to be stable. some of the ports just aren't behaving :( I'm poking at it again.