Procd and running within an existing network namespace

Howdy. When attempting to start a service within a network namespace via procd, I'm getting:

Wed Mar 22 01:53:40 2023 daemon.err ip[3945]: setting the network namespace "container" failed: Operation not permitted

However, the namespace does exist.

This can be easily reproduced with the following init script:

#!/bin/sh /etc/rc.common

USE_PROCD=1
START=95
STOP=01

start_service() {
    procd_open_instance
    procd_set_param command /sbin/ip
    procd_append_param command netns
    procd_append_param command exec
    procd_append_param command container
    procd_append_param command /usr/bin/wg
    procd_close_instance
}

The above ip command does work outside of the init.d script. Any ideas about what is going on? My objective is to run a command within a network namespace, that's all. Thanks for any help.

Some further info. I'm using Onion's build of OpenWrt 18.06 and now I'm beginning to wonder if this is a SECCOMP related issue. From trawling the net I think capabilities are able to be declared when a jail is used, so I'll try that.

I remain mystified though. I would have thought that procd would have provided all privileges to a non-jailed service. Is anyone able to confirm?

Two things:

  1. 18.06 has been eol for several years and is unsupported now.
  2. since you are not using an official openwrt standard release build, you should ask the maintainer of the version you are using for help with your issue. The community here is unlikely to know the details of somebody else’s customized version.

It appears that a reboot fixed it. There must have been some old state, perhaps within the world of ubus. I had previously tried running within a jail and later discovered that my OS build didn't include procd-jail. Hopefully, this dialogue may help someone in future, even with later versions of the OS.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.