On 5/30/17 4:07 PM, Harald Welte wrote: > In case you're wondering what I'm actually trying to achieve: Find > an easy way to run a single program in an isolated namespace that only > has one physical (usb) ethernet device. I would like to execute that > program as unprivileged user but still be able to bind to privileged > ports. And I want to do this using simple command-line tools without > all the bloat and overhead of "container" solutions that have 99% of > features I don't need. But let that not distract you, I think the > mysteriously disappearing netdevices are a more general and important > issue.
An alternative approach is to create a bridge and add the usb ethernet device to it. As you want to launch a program, create a veth pair. Put one end into the bridge, and the other end into the new network namespace. All of this can be scripted quite easily with 'ip' - including configuring the veth device pushed into the namespace and running the command. Use unshare for the other namespaces.
