Linux network namespaces
-
Upload
mike-wilson -
Category
Technology
-
view
398 -
download
1
Transcript of Linux network namespaces
![Page 1: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/1.jpg)
Linux Network Namespaces
(and how they are used in Docker vs OpenStack)
![Page 2: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/2.jpg)
VRF? (kinda)Virtual routing and forwarding (VRF) is a technology included in IP (Internet Protocol) network routers that allows multiple instances of a routing table to exist in a router and work simultaneously. This increases functionality by allowing network paths to be segmented without using multiple devices.
![Page 3: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/3.jpg)
Namespace = VRF++Each Linux namespace has its own set of:/proc/net
connection trackingnetfilter tables and chains (iptables, ebtables,
arptables, …)myriad settings: buffers, window sizing,
congestion tuning, omg, yes, yes, yes!network devicesrouting table
![Page 4: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/4.jpg)
Why?The purpose of the patch series that includes network namespaces is primarily to enable containers. Which just like VMs provide:IsolationResource allocationLightweight++, security-- (when compared to kvm)
![Page 5: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/5.jpg)
Small example in CFull(er) version at : https://github.com/geekinutah/create_net_namespace
// Declarations above skippedstatic char child_stack[1048576];
int use_clone(){ printf("Welcome to your new network namespace!\n"); printf("Here's the new output of 'ip link show'\n"); system("/sbin/ip link show"); printf("\n\n"); system("/bin/bash"); printf("Back to the old namespace.\n");}
int main (int argc, char **argv){ // Lots of code skipped here pid_t child_pid = clone(use_clone, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | SIGCHLD, NULL); waitpid(child_pid, NULL, 0);
return 0;}
![Page 6: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/6.jpg)
Using iproute2# ip netns create testing && echo “We have a new namespace.”We have a new namespace# ls -l /var/run/netns/testing-r--r--r--. 1 root root 0 Aug 27 15:33 /var/run/netns/testing# ip netns exec testing ip link show1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00# ip netns delete testing# ls -l /var/run/netns/total 0
![Page 7: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/7.jpg)
Where is my net namespace#!/bin/bashPID=`pgrep ${@}` # Arg should produce one matchNS=`ls -1 /proc/${PID}/ns/net`
print “${NS} is the file you are looking for”
# What now, symlink $NS to /var/run/netns/a_random_name?# We could also use nsenter?
![Page 8: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/8.jpg)
Docker default mode
![Page 9: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/9.jpg)
Docker “shared” networking
![Page 10: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/10.jpg)
Docker “none” mode
![Page 11: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/11.jpg)
And also...Overlays!!!
(Clouds love them)
![Page 12: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/12.jpg)
OpenStack networkingLots of choices:Open vSwitchLinuxbridgeCommercial (several)Most people use Open vSwitchFreeFeatureful
![Page 13: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/13.jpg)
Neutron + Open vSwitchOverlays (GRE, VXLAN)Provider networksExternal/Floating networksIsolationProgrammable via APIDecent performance and stabilityGood job Neutron developers!!!
![Page 14: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/14.jpg)
OpenStack part 1In OpenStack network namespaces are really used to provide just one thing:
Overlapping IP space
![Page 15: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/15.jpg)
OpenStack part2Two different neutron agents make use of namespaces:neutron-l3-agentneutron-dhcp-agent
![Page 16: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/16.jpg)
eth1
Namespace B Namespace A
n Router Namespaces
eth0
OpenStack part3
br-ex
br-int
qg
qrqrqg qg
dnsmasq A dnsmasq B
Vlan tag 1 Vlan tag 2
This is simplified for space, if you look at a network node it will look a bit different.
![Page 17: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/17.jpg)
Thank you!
Questions?
![Page 18: Linux network namespaces](https://reader036.fdocuments.us/reader036/viewer/2022062306/5875af711a28ab8b618b5a25/html5/thumbnails/18.jpg)
Appendixhttps://www.openstack.org/assets/presentation-media/HK-Openstack-Namespaces1-.pdfhttps://docs.docker.com/articles/networking/https://github.com/geekinutah/create_net_namespacehttps://lwn.net/Articles/531114/