race condition in `child_process_create_ns` when creating namespaces concurrently

[uniquefine]

child_process_create_ns has a race when it's called in parallel.

This can be observed when creating two non-conflicting namespaces at the same time e.g. in two concurrently running tests.
The error is rtnetlink::ns: mkdir error: EEXIST: File exists.

There are two races

1. When creating the directory here
2. When the mount is set up here

Expected behavior

Creating multiple namespaces concurrently should succeed.
Only the mount initialization needs serialization; namespace file creation is already safe.

Suggested fix

1. Ignore EEXIST errors when creating the directory /run/netns/
2. Take an exclusive file lock on /run/netns/ before configuring the mount

This is actually the behavior of iproute2.

Would you accept a PR? I can open one implementing this if desired.

[cathay4t]

I prefer option 2) (flock). Yes, PR is appreciated.

[uniquefine]

Thank you for the quick feedback!
I think you need both 1. and 2..
What would use use as file lock otherwise?

1. Try to create the directory,
   • if this returns EEXIST, someone else created the directory -> ignore
2. Acquire the file lock
   • if the mount is not already set up, set up the mount
   • release the lock
3. Create the NS file

I'll create a PR then 👍