Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Linux network namespaces


Published on

A top-to-bottom look at Linux network namespaces, their uses and the Docker and OpenStack use cases.

Published in: Technology
  • Be the first to comment

Linux network namespaces

  1. 1. Linux Network Namespaces (and how they are used in Docker vs OpenStack)
  2. 2. VRF? (kinda) Virtual routing and forwarding (VRF) is a technology included in IP (Internet Protocol) network routers that allows multiple instances of a routing table to exist in a router and work simultaneously. This increases functionality by allowing network paths to be segmented without using multiple devices.
  3. 3. Namespace = VRF++ Each Linux namespace has its own set of: /proc/net connection tracking netfilter tables and chains (iptables, ebtables, arptables, …) myriad settings: buffers, window sizing, congestion tuning, omg, yes, yes, yes! network devices routing table
  4. 4. Why? The purpose of the patch series that includes network namespaces is primarily to enable containers. Which just like VMs provide: Isolation Resource allocation Lightweight++, security-- (when compared to kvm)
  5. 5. Small example in C Full(er) version at : // Declarations above skipped static char child_stack[1048576]; int use_clone() { printf("Welcome to your new network namespace!n"); printf("Here's the new output of 'ip link show'n"); system("/sbin/ip link show"); printf("nn"); system("/bin/bash"); printf("Back to the old namespace.n"); } int main (int argc, char **argv) { // Lots of code skipped here pid_t child_pid = clone(use_clone, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | SIGCHLD, NULL); waitpid(child_pid, NULL, 0); return 0; }
  6. 6. Using iproute2 # ip netns create testing && echo “We have a new namespace.” We have a new namespace # ls -l /var/run/netns/testing -r--r--r--. 1 root root 0 Aug 27 15:33 /var/run/netns/testing # ip netns exec testing ip link show 1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 # ip netns delete testing # ls -l /var/run/netns/ total 0
  7. 7. Where is my net namespace #!/bin/bash PID=`pgrep ${@}` # Arg should produce one match NS=`ls -1 /proc/${PID}/ns/net` print “${NS} is the file you are looking for” # What now, symlink $NS to /var/run/netns/a_random_name? # We could also use nsenter?
  8. 8. Docker default mode
  9. 9. Docker “shared” networking
  10. 10. Docker “none” mode
  11. 11. And also... Overlays!!! (Clouds love them)
  12. 12. OpenStack networking Lots of choices: Open vSwitch Linuxbridge Commercial (several) Most people use Open vSwitch Free Featureful
  13. 13. Neutron + Open vSwitch Overlays (GRE, VXLAN) Provider networks External/Floating networks Isolation Programmable via API Decent performance and stability Good job Neutron developers!!!
  14. 14. OpenStack part 1 In OpenStack network namespaces are really used to provide just one thing: Overlapping IP space
  15. 15. OpenStack part2 Two different neutron agents make use of namespaces: neutron-l3-agent neutron-dhcp-agent
  16. 16. eth1 Namespace BNamespace A n Router Namespaces eth0 OpenStack part3 br-ex br-int qg qrqrqg qg dnsmasq A dnsmasq B Vlan tag 1 Vlan tag 2 This is simplified for space, if you look at a network node it will look a bit different.
  17. 17. Thank you! Questions?
  18. 18. Appendix media/HK-Openstack-Namespaces1-.pdf