'Share unix-domain sockets between namespaces created by "ip netns"?

Is it possible to share unix-domain sockets between namespaces created by ip netns?

My default namespace is connected to an internal network. I have a namespace named inet, which has access to the internet. I'd like to run a browser in the inet namespace and connect to it via VNC from the internal network. But the problem is that that the connection from the browser to the VNC server is a unix domain socket, which is technically a form of networking. Since the browser and the X11/VNC server are in different network namespaces, they can't communicate.

Is there any way to share unix domain sockets between two network namespaces?

$ netstat --unix -lpn| grep X11
unix  2      [ ACC ]     STREAM     LISTENING     31239    3247/Xtigervnc       /tmp/.X11-unix/X1
unix  2      [ ACC ]     STREAM     LISTENING     31238    3247/Xtigervnc       @/tmp/.X11-unix/X1

$ ip netns
inet (id: 0)

$ sudo ip netns exec inet  netstat --unix -lpn
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path

$ sudo ip netns exec inet  sh -c 'DISPLAY=:1 xmessage foo'
No protocol specified
Error: Can't open display: :1
linuxsocketslinux-namespaces


Solution 1:[1]

Unix domain sockets are not affected by your network namespace. If we create two namespaces:

ip netns add ns1
ip netns add ns2

And then create a unix socket in one:

ip netns exec ns1 socat unix-listen:/tmp/mysocket -

We can connect to that from another namespace without a problem:

ip netns exec ns2 socat - unix-connect:/tmp/mysocket

And communicate just fine. Unix sockets are bound to the filesystem, not the network environment (this fact is often used to communicate between containers by placing unix sockets on a shared volume).

Furthermore, on my system, we see:

$ netstat --unix -lpn |grep X11
unix  2      [ ACC ]     STREAM     LISTENING     100157   11744/Xorg           @/tmp/.X11-unix/X1
unix  2      [ ACC ]     STREAM     LISTENING     100158   11744/Xorg           /tmp/.X11-unix/X1

And also:

$ sudo ip netns exec ns1 netstat --unix -lpn
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
$

But this works just ifne:

$ sudo ip netns exec ns1 sh -c 'DISPLAY=:1 xmessage foo'

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions