What is a Network Namespace?
Network namespaces allow you to have isolated network environments on a single host.
Each namespace has its own interfaces and routing table, separated from other namespaces. In addition, processes on your system can be associated with a specific network namespace.
Network namespace used in a variety of projects such as OpenStack, Docker and Mininet.To deep dive into these projects, you’ll have to be familiar with namespaces and know how to work with them.
Working with network namespaces
When starting linux, you’ll have one namespace on your systemand every new created process will inherit this namespace from its parent. So, all the processes inherit the network namespace used by init (PID1).
List namespaces
The way to work with namespacesis by using the ‘ip netns’ command (man ip-netns).
To list all the network namespace on your system, use ‘ip netns’ or ‘ip netns list’
> ipnetnsIf you haven’t added any namespace, the output will be empty. The default namespaceis not includedin ‘ip netns list’ output.
Addnamespaces
To add a namespace, use the ‘ip netns add <name>’ command. Let’s give it a try.
> ipnetnsaddmario > ipnetnsaddluigiWe created two namespaces. One called ‘mario’ and the other called ‘luigi’.
As you can see in thedrawing, the new namespaces we just created, separate from the system default namespace.
To ensure they have been created, you can use the ‘ip netns list’ command, asmentioned earlier.
> ipnetnslist mario luigiOnce a namespace is added, a new file createdin ‘/var/run/netns’ with the same name as the namespace. In our case, there should be two files there, one for each namespace we created (again, not including the default namespace).
> ls /var/run/netns mario luigiExecuting commands in namespaces
To execute commands in a namespace (which is not the ‘default’ namespace) use ‘ip netns exec <namespace> <command>’
> sudoipnetnsexecmarioip a 1: lo: <LOOPBACK> mtu 65536 qdiscnoopstateDOWNqlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00In the above example, we ran the command ‘ip a’ in the namespace ‘mario’. This should give a different result than running it in the default namespace, as each namespace is an isolated environment with its own interfaces and routing table.
It is possible to run a specific command on all existing namespaces using the ‘-all’ flag
> sudoip -allnetnsexecip a netns: luigi 1: lo: <LOOPBACK> mtu 65536 qdiscnoopstateDOWNqlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 netns: mario 1: lo: <LOOPBACK> mtu 65536 qdiscnoopstateDOWNqlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00Assign network interface to a specific namespace
This is basically moving interfaces from the default namespace to the namespaceyou specify
Let’s say you have on your default namespace, a network device which called ‘toad’.
If you want to set ‘toad’ on your namespace ‘x’ rather thanon the default namespace, you can use the ‘ip link set’ command.
sudoiplink settoadnetns xPing between two namespaces
Let’s take a simple scenario in which we willemulate two nodes (each namespace will represent a node). We’ll connect the two namespaces to a virtual switch and send a ping from one namespace to another.
Add virtual switch
For avirtual switch,I’ll use OpenvSwitch and I’ll create the switch in the default namespace.
But first, let’s install OpenvSwitch and start itsservice.
> sudodnfinstall -y openvswitch > sudosystemctlstartopenvswitchNext, let’s add a new virtual switch. I called it ‘my_switch’ (yes, creativity level over 1000)
> sudoovs-vsctladd-brmy_switchVerify it was added
> sudoovs-vsctlshow e72385f-ed0a-40fd-97f3-21d49cbf60f3 Bridgemy_switch Portmy_switch Interface my_switch type: internal ovs_version: "2.4.0" > ip a 4: my_switch: <BROADCAST,MULTICAST> mtu 1500 qdiscnoopstateDOWNqlen 1 link/ether 3a:99:b4:63:f2:47 brdff:ff:ff:ff:ff:ffTo connect the namespaces to our switch, we’ll use ‘veth’ pairs. Since there is not much documentation on ‘veth’, let’s take a minuteto explain what is ‘veth’.
veth
veth (Virtual Ethernet) is a type of network device which always comes in pairs. You can imagine this pair as a tube. Everything you’ll send through oneend of the tube, will come out at the other end.
You can see it alwayscomes in a pair, by adding such device in your system
> sudoiplink addtype veth 5: veth0@veth1: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdiscnoopstateDOWNqlen 1000 link/etherc2:a7:3b:5c:83:d6brdff:ff:ff:ff:ff:ff 6: veth1@veth0: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdiscnoopstateDOWNqlen 1000 link/etherd6:43:5c:3b:d6:4f brdff:ff:ff:ff:ff:ffAs you can see,there are two devices which compose the pair. Sending anything through veth0@veth1, would come out through veth1@veth0.
Now, remove it, since we don’t need it as it is now, for our example
> sudoiplink delveth0Removing one of them, would also remove the other peeras they always come in pairs.
Creating veth devices
Now back to connecting the namespaces to our virtual switch.
Let’s create veth device to connect ‘mario’ namespace to the virtual switch.
sudoiplink addmario-netnstype vethpeernamemario-ovsThis is slightly different than what you saw earlier. Here I specified the name for each end/member of the pair. So mario-netnswill be in‘mario’ namespace and ‘mario-ovs’ will connect to our virtual switch.
Let’s verify it’s been created
> ip a 9: mario-ovs@mario-netns: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdiscnoopstateDOWNqlen 1000 link/ether 5e:58:bc:b3:f2:8c brdff:ff:ff:ff:ff:ff 10: mario-netns@mario-ovs: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdiscnoopstateDOWNqlen 1000 link/etheraa:08:cc:71:43:61 brdff:ff:ff:ff:ff:ffNow let’s set‘mario-netns’ in‘mario’ namespace
sudoiplink setmario-netnsnetnsmarioRemember we said that namespace is an isolated network environment and ‘default’ namespace is separated from other namespaces? If that’s true, you should not see‘mario-netns’ anymore in the ‘default’ namespace, since we put it in ‘mario’ namespace
> ip a 9: mario-ovs@if10: <BROADCAST,MULTICAST> mtu 1500 qdiscnoopstateDOWNqlen 1000 link/ether 5e:58:bc:b3:f2:8c brdff:ff:ff:ff:ff:fflink-netnsid 0 > ipnetnsexecmarioip a 1: lo: <LOOPBACK> mtu 65536 qdiscnoopstateDOWNqlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 10: mario-netns@if9: <BROADCAST,MULTICAST> mtu 1500 qdiscnoopstateDOWNqlen 1000 link/etheraa:08:cc:71:43:61 brdff:ff:ff:ff:ff:fflink-netnsid 0As you can see ‘mario-netns’ is now in ‘mario’ namespace. That is why you can’t see it in the default namespace.
Now let’s add the other end (mario-ovs) to our virtual switch.
> ovs-vsctladd-portmy_switchmario-ovs > ovs-vsctlshow 9e72385f-ed0a-40fd-97f3-21d49cbf60f3 Bridgemy_switch Portmario-ovs Interface mario-ovs