Abstract UNIX Socket

Abstract UNIX sockets are linux specific extension and are documented alongside standard pathname sockets at unix(7).

Properties

Compared to pathname sockets they have two interesting properties:

  1. The socket is automatically released by the kernel when the owning process exits.

    Standard UNIX sockets backed by a file must be explicitly unlinked unlink.

  2. They exist in an abstract namespace which is independent of the file system unix(7).

How do I listen on abstract socket?

An abstract socket address is distinguished (from a pathname socket) by the fact that sun_path[0] is a null byte (‘0’).

unix(7)

Example:

import socket
s = socket(AF_UNIX)
s.bind("\0" + "foo")
#      ^      ^
#      |      +- the actual socket name
#      +- the NUL byte identifying an abstract socket

How does the socket name behave with respect to / and ..?

These are not special as documented in unix(7).

The following socket paths refer to different sockets:

  • /foo/bar

  • /foo/qux/../bar

  • /foo/./bar

  • /foo/bar/

How do I list listening abstract unix sockets?

iproute2 provides command ss to investigate sockets. With options -l filtering to listening sockets and -x filtering to unix sockets.

Abstract sockets are not documented in ss(8) and they not seem to be filterable by its argv but testing shows that ss -lx shows abstract sockets as well as pathname sockets with abstract sockets being distinguished by @ prefix.

In the following example output the first socket is abstract and the second one is pathname:

root@a5195a41505e:~# ss -lx
Netid State      Recv-Q Send-Q     Local Address:Port          Peer Address:Port
u_str UNCONN     0      0                  @/foo 142423056                * 0
u_str UNCONN     0      0                   /foo 142418390                * 0

Do identical socket names refer to identical socket in docker?

Since I expect the sockets to be part of the network namespace namespaces(7), the behavior will depend on the network mode docker-run(1) (--network) used to run a container.

  1. host network

    Identical names in different containers refer to the identical socket.

    i.e. when process in one container binds to a socket name, another process can not bind the same socket name even in different container.

  2. bridge network (default)

    Identical paths in different containers refer to different sockets.

    i.e. when process in one container binds to a socket path, another process in different container can bind the same socket path and their sockets are isolated to their containers.