Linux networking 101 : Namespaces



Network namespaces:

A network namespace is a way to create a virtual copy of a network stack and isolate it from the existing network stacks.

A network namespace will have its own network resources including a set of IP addresses, ARP table, routing table, ...

Example:

The diagram below shows the namespace_A(green) inside a host (blue).


Namespaces creation:

We use the below commands to create the namespaces (A, B, C)



We check if the creation process was successful using the below command:

This command will list all the created namespaces.

By default, when created, a namespace will have a virtual loopback interface created by default (lo)

For example the below command lists all the interfaces in the newly created namespace_A:

Executing a command inside a namespace:

To execute a command inside a namespace we use the exec command.

We executed the command "route" inside the namespace_A.

The routing table will have no entries    

Listing the routing table for the namespace_A:

We executed the command "arp" inside the namespace_A.

The arp table will also be empty.

Connecting three namespaces (A, B, C):

To connect the namespaces so they could communicate with each other, we need a connecting devices (Switch/Bridge).

The kernel allows us to create a software switch in the host using the below command:

We check if the bridge device was created on the host:

We activate the bridge, and check if the link is up using "ip link":

We create the link that will connect the namespaces to the bridge:

veth : virtual ethernet interface.






We then "plug" the Veth_A end of the link to the namespace_A and "plug" the Veth_A_Bridge end of the link to the bridge_0 (software switch) interface :

We do the same for the namespace B:

And for the namespace_C:

As a result we get the below diagram:


Setting IP addresses for the namespaces:

We give each namespace veth interface an IP address in the three namespaces (A, B, C):



Connecting the host interface (eth0) to the namespaces:

To connect to the namespaces "namespace_A", "namespace_B" and "namespace_C", the host needs to do it through the bridge (Bridge_0).

To be able do do that we need to give the Bridge_0 interface an IP address:

The host can now access all the namespaces through the bridge interface (Bridge_0).

Accessing a namespace from another host:

Example:

We want to access another machine from the namespace_A for example.



We add a default route which would allow the packets coming from the namespace_A to find their way outside.

We would also need to activate the NAT (Network address translation) on the eth0 (172.10.1.4) so that the packets leaving the namespace_A to reach another computer would use the host address (172.10.1.4) -since the namespace_A address is internal to the host- when leaving and when the host receives back the response, it will substitute its address with the namespace_A address(172.10.0.1) by looking at its NAT table so the packet can reach the namespace_A.

The below command activates the NAT:

Comments

Leave as a comment:

Archive