netjail.sh (1134B)
1 #!/bin/sh 2 3 # This file is in the public domain. 4 # 5 # Shell script for to setup one instance of a network namespace. 6 # Used by buildslaves to avoid port conflicts. 7 # 8 # The arguments are the command (and arguments to the 9 # command) to be run in the network namespace (i.e. 'make check'). 10 # 11 12 set -eu 13 set -x 14 15 # Be extra safe, even though sudo should already do this. 16 export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" 17 18 # See netjail-init.sh 19 BRIDGE=builderbridge 20 21 # Generate random ID for namespace 22 NSUID=$(od -x /dev/urandom | head -1 | awk '{OFS="-"; print $2$3}') 23 24 NSNAME=buildernet-$NSUID 25 26 # Create network namespace 27 ip netns add "$NSNAME" 28 29 TAP=tap-$NSUID 30 BRTAP=br-tap-$NSUID 31 32 # Setup link to our bridge 33 ip link add "$TAP" type veth peer name "$BRTAP" 34 #brctl addif "$BRIDGE" "$BRTAP" 35 ip link set dev $BRTAP master $BRIDGE 36 ip link set "$TAP" netns "$NSNAME" 37 ip link set dev "$BRTAP" up 38 39 # Execute netjail-privdrop in a process namespace, but do not mount proc yet, 40 # so that we can still "nsenter" the root NS to drop the 41 exec unshare -fp --kill-child -- ip netns exec "$NSNAME" netjail-privdrop.sh "$NSUID" "$@"