diff options
| author | James O'Doherty <james@theodohertyfamily.com> | 2026-05-22 11:12:21 -0400 |
|---|---|---|
| committer | James O'Doherty <james@theodohertyfamily.com> | 2026-05-22 11:12:21 -0400 |
| commit | 3b56ccecf46b83fa9b0e4b6c54be6ffda395910c (patch) | |
| tree | 2a4f7b8598cfdfaec2627ec13d4bfb30c14e28fd /README.md | |
| parent | cefff85a054d64f124aa1f3e91b9425695aa210b (diff) | |
Implement automatic namespace lifecycle cleanup with last-man-out reference counting
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -130,8 +130,11 @@ Routing traffic to the VPN doesn't guarantee DNS is routed. - **User Control**: Provide a flag (e.g., `--dns-server <IP>`) to allow the user to override the fallback and specify their own trusted resolver. ### 3. Namespace Lifecycle -Network namespaces can leak if not managed. -- **Action**: The controller must monitor the target process and explicitly tear down the TUN device and close the namespace on exit. +Network namespaces can leak if not managed. To prevent this, `wg-wrap` implements a "last-man-out" reference counting system: +- **Tracking**: Every process using a profile creates a PID file in `/run/user/$UID/wg-wrap/profiles/<name>/pids/`. +- **Automatic Cleanup**: When a process exits, it removes its PID file. If no PID files remain for a profile, `wg-wrap` automatically unpins the namespace and terminates the associated userspace WireGuard process. +- **Resilience**: Stale PID files (from crashed processes) are pruned during the initial join sequence of any new process. +- **Manual Override**: The controller also provides `wg-wrap profile stop <name>` to force the immediate teardown of a profile's namespace. ### 4. User Namespace Sequence To create a network namespace without root, you must create a user namespace first. |