Network Namespaces

Network Namespaces are used by containers like Docker to implement network isolation.

Containers are separated from the underlying host using namespace.

When you create a container, you want to make sure that it is isolated, that it does not see any other processes on the host or any other containers. So we create a namespace on the host. The container is concerned, it only sees the processes run by it and thinks that it is on its own host.

When it comes to networking, our host has its own interfaces that connect to the local area network. Our host has its own routing and our tables with information about the rest of the network. When the container is created, we create a network namespace for it, that way it has no visibility to any network-related information on the host. Within its namespace, the container can have its own virtual interfaces, routing, and other tables.

To create a new network namespace on a Linux host,

# create network namespace
$ ip netns add red
$ ip netns add blue

# check the namespace
$ ip netns
blue
red

To list the interfaces on the host.

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 08:00:27:42:3d:82 brd ff:ff:ff:ff:ff:ff

how do we run the same command within the created namespace?

$  ip netns exec red ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

ip -n red link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

With network namespaces, we have successfully prevented the container from seeing the host’s interface.

Within the network namespace, there is no network connectivity, they have no interfaces of their own, and they cannot see the underlying host network.

How to check the entries and routing table of machine?

$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface
_gateway                 ether   52:54:00:12:35:02   C                     enp0s3

$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 enp0s3
10.0.2.0        0.0.0.0         255.255.255.0   U     100    0        0 enp0s3
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 enp0s3

Inside the namespace

$ ip netns exec red arp
# Now no entry

$ ip netns exec red route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

http://manpages.ubuntu.com/manpages/trusty/man8/ip-netns.8.html

You can link two network namespaces

$ ip link add veth-red type veth peer name veth-blue 
$ ip link set veth-red netns red
$ ip link set veth-blue netns blue
$ ip -n red addr add 192.168.15.1/24 dev veth-red
$ ip -n blue addr add 192.168.15.2/24 dev veth-blue
$ ip -n red link set veth-red up
$ ip -n blue link set veth-blue up
$ ip netns exec red ping 192.168.15.2
PING 192.168.15.2 (192.168.15.2) 56(84) bytes of data.
64 bytes from 192.168.15.2: icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from 192.168.15.2: icmp_seq=2 ttl=64 time=0.045 ms
64 bytes from 192.168.15.2: icmp_seq=3 ttl=64 time=0.031 ms
64 bytes from 192.168.15.2: icmp_seq=4 ttl=64 time=0.042 ms

Delete Link pair
$ ip -n red link del veth-red
$ ip -n blue link del veth-blue
# ARP Tables
$ ip netns exec red arp
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.15.2             ether   52:4f:9d:4d:1d:6a   C                     veth-red

$ ip netns exec blue arp
Address                  HWtype  HWaddress           Flags Mask            Iface
192.168.15.1             ether   3a:b7:64:24:aa:6e   C                     veth-blue

$ ip netns exec blue route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.15.0    0.0.0.0         255.255.255.0   U     0      0        0 veth-blue

$ ip netns exec red route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.15.0    0.0.0.0         255.255.255.0   U     0      0        0 veth-red

If there are more than two namespace, you need a virtual network inside host. Create a network you need a switch. However, create virtual network you need a virtual switch. So you create a virtual switch within our host and connect the namespace us to it.

How do you create a virtual switch between the host?

There are some solutions (Linux bridge, Open vSwitch, etc). To create an internal bridge network, we add a new interface to the host using the ip link

Using ip addr flush will work, but it will also clear any and all addresses set on that interface – possibly including the one that you are using, if you’re logged in to a remote machine. This may lock you out of your device.

RNETLINK answers: File exists happens when you’re trying to add a rule that conflicts with an existing rule. I would guess that OP was encountering this because they had already set the address with ifconfig. This error can usually be resolved by converting the add command to a similarly structured change or replace command.

It’s much safer to use ip addr change or ip addr replace instead.

$ ip link add v-net-0 type bridge
// Our host is concerned, it is just another interface.
$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 08:00:27:42:3d:82 brd ff:ff:ff:ff:ff:ff
5: v-net-0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 66:e3:0a:e2:fe:b1 brd ff:ff:ff:ff:ff:ff

$ ip link set dev v-net-0 up

$ ip link add veth-red type veth peer name veth-red-br
$ ip link add veth-blue type veth peer name veth-blue-br
$ ip link set veth-red netns red
$ ip link set veth-red-br master v-net-0
$ ip link set veth-blue netns blue
$ ip link set veth-blue-br master v-net-0
$ ip -n red addr add 192.168.15.1/24 dev veth-red
$ ip -n blue addr add 192.168.15.2/24 dev veth-blue
$ ip -n red link set veth-red up
$ ip -n blue link set veth-blue up

// Add bridge ip address
$ ip addr add 192.168.15.5/24 dev v-net-0

Check ARP and Route

# ARP Tables
$ ip netns exec red arp
$ ip netns exec blue arp
# Kernel IP routing table
$ ip netns exec blue route
$ ip netns exec red route

Now you can ping red namespace in our Localhost

ping 192.168.15.1

The virtual switch also need the gateway to access outside world.

The localhost is the gateway that connects the two networks

What is a system that has one interface on the network local to the namespace.

network namespace

blue namespace to reach outside.

$ ip netns exec blue ip route add 192.168.1.0/24 via 192.168.15.5
$ iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

blue namespace to reach to internet.

$ ip netns exec blue ip route add default via 192.168.15.5

Another private machine reaches blue namespace network.

ip tables -t nat -A PREROUTING --dport 80 --to-destination 192.168.15.2:80 -j DNAT
//another host machine
$ ip netns exec blue ping 192.168.1.3

// on internet
ip netns exec blue ping 8.8.8.8

Basic information

Routing table

In computer networking a routing table, or routing information base, is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics associated with those routes

Address Resolution Protocol (ARP)

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link-layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. This mapping is a critical function in the Internet protocol suite. 

$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface
_gateway                 ether   00:1c:42:00:00:18   C                     enp0s5

Leave a Reply

Your email address will not be published.

ANOTE.DEV