Docker or container runtimes implement multiple namespaces. For example, docker uses user, ipc, mount namespaces… and network namespaces.
Namespaces are one of fundamentals about containerization on linux based. Second important tools are cgroups of course.
But namespaces provide you the capacity to isolate process. Without isolation, no containerization. And the network namespace allow you to create a dedicated network for your process. By this way, the process see only its own localhost (127.0.0.1) and its interface connected o the bridge.
So, to begin, I think it’s a good idea to discover how to install some network namespaces and a bridge like docker does for you so easily.
Go go go !!
Discover this post in video tutorial here
Let’s define some variables
You’ll see it below, we’ll need to us and re-use many command line.
To avoid to edit again and again same values or if you want to change its, start by defining variables.
## Namespaces
NS1="x1"
NS2="x2"
## vethernet
VETH1="xeth1"
VETH2="xeth2"
## interfaces in ns
VPEER1="xpeer1"
VPEER2="xpeer2"
# ip provide for each interface
VPEER_ADDR1="10.11.0.10"
VPEER_ADDR2="10.11.0.20"
## bridge specifications
BR_ADDR="10.11.0.1"
BR_DEV="xavki0"
With that we have defined our namespaces name, our vethenet (those are as wire between namespace interface en the bridge), our vpeer (namespace interfaces), ip for each vpeer and finally the bridge.
With that we have defined our namespaces name, our vethenet (those are as wire between namespace interface en the bridge), our vpeer (namespace interfaces), ip for each vpeer and finally the bridge.
Remember that a bridge is like a virtual switch. You plug it on virtual or physical interface and create like a subnet behind it.
Create and configure our namespaces
I hope that you love the CLI ip netns ;)
## namespace creation
ip netns add $NS1
ip netns add $NS2
## create vethernet and plug it to interfaces
ip link add ${VETH1} type veth peer name ${VPEER1}
ip link add ${VETH2} type veth peer name ${VPEER2}
## add interfaces in each network
ip link set ${VPEER1} netns ${NS1}
ip link set ${VPEER2} netns ${NS2}
## activate vethernet
ip link set ${VETH1} up
ip link set ${VETH2} up
ip --netns ${NS1} a
ip --netns ${NS2} a
## activate all interfaces in each ns
ip netns exec ${NS1} ip link set lo up
ip netns exec ${NS2} ip link set lo up
ip netns exec ${NS1} ip link set ${VPEER1} up
ip netns exec ${NS2} ip link set ${VPEER2} up
## define an ip for each interface
ip netns exec ${NS1} ip addr add ${VPEER_ADDR1}/16 dev ${VPEER1}
ip netns exec ${NS2} ip addr add ${VPEER_ADDR2}/16 dev ${VPEER2}
So in the previous code :
- we create our namespaces
- we create our vethernet and plug it on namespace interface
- we add interfaces on each namespace
- we activate vethernets, loopbacks and interfaces
- and set the ip for each interface
And now it’s time for the bridge
That’s it for namespaces but we need to plug on the bridge.
## create and activate the bridge xavki0
ip link add ${BR_DEV} type bridge
ip link set ${BR_DEV} up
## plug vethernet on the common bridge
ip link set ${VETH1} master ${BR_DEV}
ip link set ${VETH2} master ${BR_DEV}
## add an ip on the bridge
ip addr add ${BR_ADDR}/16 dev ${BR_DEV}
## add the default route in each namespace
ip netns exec ${NS1} ip route add default via ${BR_ADDR}
ip netns exec ${NS2} ip route add default via ${BR_ADDR}
## if you want an external access
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s ${BR_ADDR}/16 ! -o ${BR_DEV} -j MASQUERADE
First, we define a bridge with our variable and activate it.
Of course we connect on our bridge vethernets and we set an IP for our bridge.
To allow the communication from our namespaces to outside we need to create a default route to transfert packet through the bridge.
And finally, if you want to go outside of the host (of our namespaces), for example to go on internet, we authorize the ip forward and define a postrouting rule to accept routing with the bridge (input and output).
Top comments (0)