Welcome to this brief reading of Network namespaces in 5 min. You will find answer for questions like: What are they? How they works? How they can be configured? Reader would need some understanding of Linux. If you want to know more about this sort things check my playlist “Great presentations and demos of K8s and tools” in our Youtube Channel and don’t forget to subscribe.
Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources. Examples of such resources are process IDs, hostnames, user IDs, file names, and some names associated with network access, and interprocess communication.
Network namespaces bring absolute isolation to containers regarding network settings. Network namespaces virtualize the network stack. On creation a network namespace contains only a loopback interface. However, from the underlay host you can see all the namespaces and have the capability to wire them together if it’s required. Then containers will have their own routing and ARP table, firewall rules and socket list, totally isolated from the underlay host. You can exactly attach virtual, as physical interfaces to one namescape and move them between them.
Network namespaces in 5 min: Topology used in this post
Create a network namespace is very simple. You can see the following commands in my Centos7:
# Create two net namespaces called ns01 and ns02 ip netns add ns01 ip netns add ns02
To list your namespaces you just need to type:
ip netns
To check the list of interfaces, arp entries and routes in the namespace you just need to type:
ip netns exec ns01 ip link # or you can use: ip -n ns01 link ip netns exec ns01 arp ip netns exec ns01 route
Connecting namespaces, create a virtual cable between two virtual interfaces and attach those interfaces to each namespace:
ip link add veth-ns01 type veth peer name veth-ns02 ip link set veth-ns01 netns ns01 ip link set veth-ns02 netns ns02 ip -n ns01 addr add 192.168.100.1/24 dev veth-ns01 ip -n ns02 addr add 192.168.100.2/24 dev veth-ns02 ip -n ns01 link set veth-ns01 up ip -n ns02 link set veth-ns02 up
Create Layer-2 virtual network with OpenVSwitch
First of all, install OVS, you can use my tutorial here or any other online support. After this OVS setup, you can create the bridge:
sudo ovs-vsctl add-br int_br
Delete the interfaces we created before to avoid any loop issue.
ip -n ns01 link del veth-ns01
When you delete one interface of the virtual cable, the other is deleted also.
Then, create interfaces attach to those bridges:
ip link add veth-ns01 type veth peer name nat ip link add veth-ns02 type veth peer name ns02_tap ovs-vsctl add-port int_br ns01_tap ovs-vsctl add-port int_br ns02_tap
And then attach those to the the namespaces.
ip link set veth-ns01 netns ns01 ip link set veth-ns02 netns ns02 ip -n ns01 addr add 192.168.100.1/24 dev veth-ns01 ip -n ns02 addr add 192.168.100.2/24 dev veth-ns02 ip -n ns01 link set veth-ns01 up ip -n ns02 link set veth-ns02 up
And the rest is known. You can check the status of the bridge and connected interfaces with:
# ovs-vsctl show
b494c304-46b7-4ff8-9fa4-531452fae2f1
Bridge "int_br"
Port "ns01_tap"
Interface "ns01_tap"
Port "ns02_tap"
Interface "ns02_tap"
Port "int_br"
Interface "int_br"
type: internal
ovs_version: "2.3.0"
If you want now to access the physical network.
Just add an IP address to the internal port int_br and add a NAT rule in your underlay host like this:
ip addr add 192.168.100.254/24 dev int_br iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
And add a route 192.168.100.254/24 as your default gateway for all namespaces like:
ip netns exec ns01 ip route add default via 192.168.100.254 ip netns exec ns02 ip route add default via 192.168.100.254
Thanks for reading our post “Network namespaces in 5 min” and don’t forget to comment. See ya!
