running a process from inside network namespace

This is the second part of the previous post about network namespaces. A quick reminder, in the previous post we went through the process of creating the namespace ns101 from which we could reach hosts on the internet.

Continuing from this point, let’s say that we would also like to run a browser or any other process that has a GUI.

In order to do that, we have to provide the external host access to the X11 server. As one might wonder, that can be done with the xhost command. For the particular case, we should type

# save this information
$ sudo $DISPLAY

$ sudo -u $USER xhost +local:$USER

$ sudo ip netns exec ns101 bash

# check if bash is running in ns101
$ ps

# save the PID number from the previous command
$ ip netns identify bash_pid # ==> expected: ns101 

# replace $DISPLAY with the output
# from echo $DISPLAY. In my case was :1
$ export DISPLAY=:1

Now you can sudo -u $USER inside the namespace and run whatever you like.

$ sudo ip netns exec ns101 sudo -u $USER
 
$ sudo vivaldi

###Troubleshooting

I’ve seen the following message while trying to run firefox from ns101.

internal error, please report: running "firefox" failed: cannot find tracking cgroup

After a few search I found the following solution: https://forum.snapcraft.io/t/solved-launching-snaps-in-network-namespace-fails-with-error-cannot-find-tracking-cgroup/31113/4.

From inside the ns101

$ sudo mount -t cgroup2 cgroup2 /sys/fs/cgroup
$ sudo mount -t securityfs securityfs /sys/kernel/security/

Voilà!