Hi Lisa, On Sun, 6 Jul 2025 19:08:46 +0200 Lisa Gnedt via user wrote:

Hi,

On 2025-07-06 17:15, Lisa Gnedt wrote:

...

It might be easier to get it correct when directly controlling all syscalls involved and not have to mix and match multiple tools. Since Linux 4.9 it seems to be possible to get the owning user namespace of a network namespace with the ioctl NS_GET_USERNS [3].

I just wrote a hacky patch as proof-of-concept of this idea. It is working for me fine in both testcases. However, in its current form it breaks the --userns parameter. But it should not be too hard to address this issue.

I am not sure, what kernel version compatibility you are targeting, since the ioctl is only available since Linux 4.9.

Thanks for reporting this and for the draft. I didn't look into your issue and patch yet, I plan to get to it later today, but just as a quick answer to this point: the earlier the better, not everything is reasonable, but 4.9 should be. And yes, patches for compatibility are always warmly welcome. -- Stefano