Linux networking 101 : Namespaces
Network namespaces:
A network namespace is a way to create a virtual copy of a network stack and isolate it from the existing network stacks.
A network namespace will have its own network resources including a set of IP addresses, ARP table, routing table, ...
Example:
The diagram below shows the namespace_A(green) inside a host (blue).
Namespaces creation:
We use the below commands to create the namespaces (A, B, C)
We check if the creation process was successful using the below command:
This command will list all the created namespaces.
By default, when created, a namespace will have a virtual loopback interface created by default (lo)
For example the below command lists all the interfaces in the newly created namespace_A:
Executing a command inside a namespace:
To execute a command inside a namespace we use the exec command.
We executed the command "route" inside the namespace_A.
The routing table will have no entries
Listing the routing table for the namespace_A:
We executed the command "arp" inside the namespace_A.
The arp table will also be empty.
Connecting three namespaces (A, B, C):
To connect the namespaces so they could communicate with each other, we need a connecting devices (Switch/Bridge).
The kernel allows us to create a software switch in the host using the below command:
We check if the bridge device was created on the host:
We activate the bridge, and check if the link is up using "ip link":
We create the link that will connect the namespaces to the bridge:
veth : virtual ethernet interface.
We then "plug" the Veth_A end of the link to the namespace_A and "plug" the Veth_A_Bridge end of the link to the bridge_0 (software switch) interface :
We do the same for the namespace B:
And for the namespace_C:
As a result we get the below diagram:
Setting IP addresses for the namespaces:
We give each namespace veth interface an IP address in the three namespaces (A, B, C):
To connect to the namespaces "namespace_A", "namespace_B" and "namespace_C", the host needs to do it through the bridge (Bridge_0).
To be able do do that we need to give the Bridge_0 interface an IP address:
The host can now access all the namespaces through the bridge interface (Bridge_0).
Accessing a namespace from another host:
Example:
We want to access another machine from the namespace_A for example.
We add a default route which would allow the packets coming from the namespace_A to find their way outside.
We would also need to activate the NAT (Network address translation) on the eth0 (172.10.1.4) so that the packets leaving the namespace_A to reach another computer would use the host address (172.10.1.4) -since the namespace_A address is internal to the host- when leaving and when the host receives back the response, it will substitute its address with the namespace_A address(172.10.0.1) by looking at its NAT table so the packet can reach the namespace_A.
The below command activates the NAT:
Comments