Linux network namespaces provide isolation of system resources associated with networking.
When using kubernetes or containers in general, linux network namespaces are one of the building blocks of the solution.
Since I wanted to understand more about how things work behind the scenes when using containers, linux network namespaces were perfect to learn more about.
Description of steps which will be followed in this post:
network namespaces ns0 and ns1 will be created
two pairs of interconnected virtual ethernet devices will be created
one inteface from each virtual ethernet devices pair will be moved to dedicated network namespace
communication between network namespace ns0 and ns1 will be configured
All commands will be issued on test server named labserver.
Diagram representing setup which will be implemented:
Network namespace creation
# Add network namespace ns0
ip netns add ns0
# Add network namespace ns1
ip netns add ns1
# Create interconnected pair of virtual ethernet devices veth11 and veth12
ip link add veth11 type veth peer name veth12
# Create interconnected pair of virtual ethernet devices veth21 and veth22
ip link add veth21 type veth peer name veth22
Newly added virtual ethernet devices are visible in default network namespace:
root@labserver:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:66:51:0b brd ff:ff:ff:ff:ff:ff
3: veth12@veth11: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether d2:da:cb:17:81:4b brd ff:ff:ff:ff:ff:ff
4: veth11@veth12: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether a6:1f:af:5a:d8:e7 brd ff:ff:ff:ff:ff:ff
5: veth22@veth21: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether ba:ae:87:e9:fd:e0 brd ff:ff:ff:ff:ff:ff
6: veth21@veth22: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 0e:b6:8a:ca:5c:b5 brd ff:ff:ff:ff:ff:ff
Associate devices with network namespaces
Move devices veth12 and veth22 to dedicated network namespaces:
# Associate virtual ethernet device veth12 with network namespace ns0
ip link set veth12 netns ns0
# Associate virtual ethernet device veth22 with network namespace ns1
ip link set veth22 netns ns1
At this moment devices veth12 and veth22 are not listed in default network namespace:
root@labserver:~# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:66:51:0b brd ff:ff:ff:ff:ff:ff
4: veth11@if3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether a6:1f:af:5a:d8:e7 brd ff:ff:ff:ff:ff:ff link-netns ns0
6: veth21@if5: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 0e:b6:8a:ca:5c:b5 brd ff:ff:ff:ff:ff:ff link-netns ns1
Devices veth12 and veth22 are visible in namespaces to which they were moved:
root@labserver:~# ip netns exec ns0 ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: veth12@if4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether d2:da:cb:17:81:4b brd ff:ff:ff:ff:ff:ff link-netnsid 0
root@labserver:~# ip netns exec ns1 ip link
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
5: veth22@if6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether ba:ae:87:e9:fd:e0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
Set IP addresses on interconnected pair of virtual ethernet devices veth11 and veth12:
# In network namespace ns0 set ip address on interface veth12
ip netns exec ns0 ip addr add 10.1.10.2/24 dev veth12
ip netns exec ns0 ip link set dev veth12 up
# In default network namespace set ip address on interface veth11
ip addr add 10.1.10.1/24 dev veth11
ip link set dev veth11 up
Set IP addresses on interconnected pair of virtual ethernet devices veth21 and veth22:
# In network namespace ns1 set ip address on interface veth22
ip netns exec ns1 ip addr add 10.1.20.2/24 dev veth22
ip netns exec ns1 ip link set dev veth22 up
# In default network namespace set ip address on interface veth21
ip addr add 10.1.20.1/24 dev veth21
ip link set dev veth21 up
Verify communication from default network namespace
Communication from default network namespace towards namespaces ns0 and ns1 is working:
root@labserver:~# ping 10.1.10.2 -c 2
PING 10.1.10.2 (10.1.10.2) 56(84) bytes of data.
64 bytes from 10.1.10.2: icmp_seq=1 ttl=64 time=0.071 ms
64 bytes from 10.1.10.2: icmp_seq=2 ttl=64 time=0.068 ms
--- 10.1.10.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1005ms
rtt min/avg/max/mdev = 0.068/0.069/0.071/0.001 ms
root@labserver:~# ping 10.1.20.2 -c 2
PING 10.1.20.2 (10.1.20.2) 56(84) bytes of data.
64 bytes from 10.1.20.2: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from 10.1.20.2: icmp_seq=2 ttl=64 time=0.072 ms
--- 10.1.20.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1025ms
rtt min/avg/max/mdev = 0.045/0.058/0.072/0.013 ms
Communication between namespaces ns0 and ns1 is not working:
root@labserver:~# ip netns exec ns0 ping 10.1.20.2
ping: connect: Network is unreachable
root@labserver:~# ip netns exec ns1 ping 10.1.10.2
ping: connect: Network is unreachable
Communication between namespaces ns0 and ns1
For being able to communicate between namespaces ns0 and ns1 - ip forwarding will be enabled on labserver
and required routes will be added to each namespace.
Sample commands:
# In network namespace ns0 add route towards subnet 10.1.20.0/24 (subnet in namespace ns1)# pointing to IP address configured on veth11 in default network namespace
ip netns exec ns0 ip route add 10.1.20.0/24 via 10.1.10.1
# In network namespace ns1 add route towards subnet 10.1.10.0/24 (subnet in namespace ns0)# pointing to IP address configured on veth21 in default network namespace
ip netns exec ns1 ip route add 10.1.10.0/24 via 10.1.20.1
# Enable ip forwarding on the host
sysctl -w net.ipv4.ip_forward=1
Communication between namespaces ns0 and ns1 via default network namespace is working now:
root@labserver:~# ip netns exec ns0 ping 10.1.20.2 -c 2
PING 10.1.20.2 (10.1.20.2) 56(84) bytes of data.
64 bytes from 10.1.20.2: icmp_seq=1 ttl=63 time=0.219 ms
64 bytes from 10.1.20.2: icmp_seq=2 ttl=63 time=0.147 ms
--- 10.1.20.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1017ms
rtt min/avg/max/mdev = 0.147/0.183/0.219/0.036 ms
root@labserver:~# ip netns exec ns0 ip address
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
3: veth12@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 1a:1d:61:99:92:72 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.10.2/24 scope global veth12
valid_lft forever preferred_lft forever
inet6 fe80::181d:61ff:fe99:9272/64 scope link
valid_lft forever preferred_lft forever
root@labserver:~# ip netns exec ns0 ip route
10.1.10.0/24 dev veth12 proto kernel scope link src 10.1.10.2
10.1.20.0/24 via 10.1.10.1 dev veth12
No comments:
Post a Comment