Network namespaces in 5 min

Welcome to this brief reading of Network namespaces in 5 min. You will find answer for questions like: What are they? How they works? How they can be configured? Reader would need some understanding of Linux. If you want to know more about this sort things check my playlist “Great presentations and demos of K8s and tools” in our Youtube Channel and don’t forget to subscribe.

Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources. Examples of such resources are process IDs, hostnames, user IDs, file names, and some names associated with network access, and interprocess communication.

Network namespaces bring absolute isolation to containers regarding network settings. Network namespaces virtualize the network stack. On creation a network namespace contains only a loopback interface. However, from the underlay host you can see all the namespaces and have the capability to wire them together if it’s required. Then containers will have their own routing and ARP table, firewall rules and socket list,  totally isolated from the underlay host. You can exactly attach virtual, as physical interfaces to one namescape and move them between them.

Network namespaces in 5 min: Topology used in this post

Create a network namespace is very simple. You can see the following commands in my Centos7:

# Create two net namespaces called ns01 and ns02
ip netns add ns01
ip netns add ns02

To list your namespaces you just need to type:

ip netns

To check the list of interfaces, arp entries and routes in the namespace you just need to type: 

ip netns exec ns01 ip link
# or you can use: ip -n ns01 link
ip netns exec ns01 arp
ip netns exec ns01 route

Connecting namespaces, create a virtual cable between two virtual interfaces and attach those interfaces to each namespace:

ip link add veth-ns01 type veth peer name veth-ns02
ip link set veth-ns01 netns ns01
ip link set veth-ns02 netns ns02
ip -n ns01 addr add 192.168.100.1/24 dev veth-ns01
ip -n ns02 addr add 192.168.100.2/24 dev veth-ns02
ip -n ns01 link set veth-ns01 up
ip -n ns02 link set veth-ns02 up

Create Layer-2 virtual network with OpenVSwitch

First of all, install OVS, you can use my tutorial here or any other online support. After this OVS setup, you can create the bridge:

sudo ovs-vsctl add-br int_br

Delete the interfaces we created before to avoid any loop issue.

ip -n ns01 link del veth-ns01

When you delete one interface of the virtual cable, the other is deleted also.

Then, create interfaces attach to those bridges:

ip link add veth-ns01 type veth peer name nat
ip link add veth-ns02 type veth peer name ns02_tap
ovs-vsctl add-port int_br ns01_tap
ovs-vsctl add-port int_br ns02_tap

And then attach those to the the namespaces.

ip link set veth-ns01 netns ns01
ip link set veth-ns02 netns ns02
ip -n ns01 addr add 192.168.100.1/24 dev veth-ns01
ip -n ns02 addr add 192.168.100.2/24 dev veth-ns02
ip -n ns01 link set veth-ns01 up
ip -n ns02 link set veth-ns02 up

And the rest is known. You can check the status of the bridge and connected interfaces with:

# ovs-vsctl show
b494c304-46b7-4ff8-9fa4-531452fae2f1
    Bridge "int_br"
        Port "ns01_tap"
            Interface "ns01_tap"
        Port "ns02_tap"
            Interface "ns02_tap"
        Port "int_br"
            Interface "int_br"
                type: internal
    ovs_version: "2.3.0"

If you want now to access the physical network.

Just add an IP address to the internal port int_br and add a NAT rule in your underlay host like this:

ip addr add 192.168.100.254/24 dev int_br
iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE

And add a route 192.168.100.254/24 as your default gateway for all namespaces like:

ip netns exec ns01 ip route add default via 192.168.100.254
ip netns exec ns02 ip route add default via 192.168.100.254

Thanks for reading our post “Network namespaces in 5 min”  and don’t forget to comment. See ya!

Leave a Reply

Your email address will not be published. Required fields are marked *