How to access an unnamed network namespace

naming-netns.md

Some programs might create network namespaces without registering them in /run/netns as iproute2 does. This makes it hard to access them with readily available tools like ip netns exec. However, there is a way to register those network namespace, after they have been created.

The following session creates and enters an unnamed namespace:

# unshare -n bash
# ip a l
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
# echo $$
6508

The pid is the only information which we need. Of course we could also gather that by using ps auxf or a variety of other methods.

Now, to register the namespace, we can run the following in another shell:

# touch /run/netns/new_namespace
# mount -o bind /proc/6508/ns/net /run/netns/new_namespace

After this is done, we can access it like any other network namespace created by iproute2:

# ip netns exec unnamed1 bash
# ip link set lo up

And now, if we run ip a l again in the shell we spawned with unshare:

# ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever

For more information, have a look at the way iproute2 creates the namespace: https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/tree/ip/ipnetns.c#n635

Alternatively, I think you can run ip netns attach new_namespace 6508 to avoid having to manually create the namespace file and bind mounting it. Thanks for sharing this information!

Alternatively, you can also do nsenter --net=/proc/PID/ns/net <COMMAND TO EXECUTE>.

It is the most elegant solution in my opinion, as it leaves the host system untouched.