Linux Network Namespaces
A namespace is a way of scoping a particular set of identifiers.
Using a namespace, you can use the same identifier multiple times in different namespaces. You can also restrict an identifier set visible to particular processes.
Initially, the set of network interfaces and routing tables/entries are shared across the entire OS.
With network namespaces, you can have different and separate instances of network interfaces and routing tables that operate independent of each other.
Each network namespace also has its own set of iptables (for both IPv4 and IPv6).
Verify that the veth pair was created:
Assign the interface veth1 to the network namespace blue:
By default this is inherited from its parent process, but a process with the right capabilities can switch itself into a different namespace; in practice this is mostly done using :
Using a namespace, you can use the same identifier multiple times in different namespaces. You can also restrict an identifier set visible to particular processes.
Introducing Linux Network Namespaces
Linux starts up with a default network namespace, so if your operating system does not do anything special, that is where all the network devices will be located.Initially, the set of network interfaces and routing tables/entries are shared across the entire OS.
With network namespaces, you can have different and separate instances of network interfaces and routing tables that operate independent of each other.
Each network namespace also has its own set of iptables (for both IPv4 and IPv6).
Creating and Listing Network Namespaces
ip netns add <new namespace name>For ex., create a namespace called “blue”
ip netns add blue ip netns list blue
Assigning Interfaces to Network Namespaces
You can only assign virtual Ethernet (veth) interfaces to a network namespace, then, connect a network namespace to the physical network.Virtual Ethernet interfaces always come in pairs, and they are connected like a pipe — whatever comes in one veth interface will come out the other peer veth interface.
First, you’d create the veth pair:
$ ip link add veth0 type veth peer name veth1Both interfaces veth0/veth1 will be created and linked automatically using this command.
Verify that the veth pair was created:
$ sudo ip link | grep veth 9: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 10: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000Right now, they both belong to the “default” or “global” namespace.
Assign the interface veth1 to the network namespace blue:
$ sudo ip link set veth1 netns blueNow, the veth1 interface has disappeared from the list, it’s now in the blue namespace:
$ sudo ip link | grep veth 10: veth0@if9: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 $ sudo ip netns exec blue ip link list 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 9: veth1@if10: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ether ea:1b:f1:70:67:bb brd ff:ff:ff:ff:ff:ff link-netnsid 0
Configuring Interfaces in Network Namespaces
Any given Linux process runs in a particular network namespace.By default this is inherited from its parent process, but a process with the right capabilities can switch itself into a different namespace; in practice this is mostly done using :
$ sudo ip netns exec NETNS COMMAND"ip netns exec" lets you execute commands COMMAND in a different network namespace NETNS.
Suppose such a process in this network namespace sends out a message to an IP address x.x.x.x, x.x.x.x will be looked up in that namespace’s routing table, and that will determine the network device that the message is transmitted through.
Now, to configure the veth1 interface in the blue namespace:
$ sudo ip netns exec blue ip addr add 10.1.1.1/24 dev veth1 $ sudo ip netns exec blue ip link set dev veth1 up $ sudo ip netns exec blue ip a show veth1 9: veth1@if10: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state LOWERLAYERDOWN group default qlen 1000 link/ether ea:1b:f1:70:67:bb brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 10.1.1.1/24 scope global veth1 valid_lft forever preferred_lft foreverVerify how network namespaces keep the network configuration separate :
$ ip route default via 192.168.168.1 dev eno1 proto dhcp metric 100 10.46.74.0/24 dev mpqemubr0 proto kernel scope link src 10.46.74.1 linkdown 192.168.168.0/24 dev eno1 proto kernel scope link src 192.168.168.123 metric 100 $ sudo ip netns exec blue ip route 10.1.1.0/24 dev veth1 proto kernel scope link src 10.1.1.1 linkdown
Connecting Network Namespaces to the Physical Network
Bring up the interfaces in the name scape:$ sudo ip netns exec blue ip link set lo up $ sudo ip netns exec blue ip link veth1 upNotice that veth1 is no longer reachable from the host network namespace,
$ ping -c 1 10.1.1.1 PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data. --- 10.1.1.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms $ sudo ip netns exec blue ping -c 1 10.1.1.1 PING 10.1.1.1 (10.1.1.1) 56(84) bytes of data. 64 bytes from 10.1.1.1: icmp_seq=1 ttl=64 time=0.028 ms --- 10.1.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms
留言