Linux Network Namespaces

(and how they are used in Docker vs OpenStack)

VRF? (kinda)Virtual routing and forwarding (VRF) is a technology included in IP (Internet Protocol) network routers that allows multiple instances of a routing table to exist in a router and work simultaneously. This increases functionality by allowing network paths to be segmented without using multiple devices.

Namespace = VRF++Each Linux namespace has its own set of:/proc/net

connection trackingnetfilter tables and chains (iptables, ebtables,

arptables, …)myriad settings: buffers, window sizing,

congestion tuning, omg, yes, yes, yes!network devicesrouting table

Why?The purpose of the patch series that includes network namespaces is primarily to enable containers. Which just like VMs provide:IsolationResource allocationLightweight++, security-- (when compared to kvm)

Small example in CFull(er) version at : https://github.com/geekinutah/create_net_namespace

// Declarations above skippedstatic char child_stack[1048576];

int use_clone(){ printf("Welcome to your new network namespace!\n"); printf("Here's the new output of 'ip link show'\n"); system("/sbin/ip link show"); printf("\n\n"); system("/bin/bash"); printf("Back to the old namespace.\n");}

int main (int argc, char **argv){ // Lots of code skipped here pid_t child_pid = clone(use_clone, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | SIGCHLD, NULL); waitpid(child_pid, NULL, 0);

return 0;}

Using iproute2# ip netns create testing && echo “We have a new namespace.”We have a new namespace# ls -l /var/run/netns/testing-r--r--r--. 1 root root 0 Aug 27 15:33 /var/run/netns/testing# ip netns exec testing ip link show1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00# ip netns delete testing# ls -l /var/run/netns/total 0

Where is my net namespace#!/bin/bashPID=`pgrep ${@}` # Arg should produce one matchNS=`ls -1 /proc/${PID}/ns/net`

print “${NS} is the file you are looking for”

# What now, symlink $NS to /var/run/netns/a_random_name?# We could also use nsenter?

Docker default mode

Docker “shared” networking

Docker “none” mode

And also...Overlays!!!

(Clouds love them)

OpenStack networkingLots of choices:Open vSwitchLinuxbridgeCommercial (several)Most people use Open vSwitchFreeFeatureful

Neutron + Open vSwitchOverlays (GRE, VXLAN)Provider networksExternal/Floating networksIsolationProgrammable via APIDecent performance and stabilityGood job Neutron developers!!!

OpenStack part 1In OpenStack network namespaces are really used to provide just one thing:

Overlapping IP space

OpenStack part2Two different neutron agents make use of namespaces:neutron-l3-agentneutron-dhcp-agent

eth1

Namespace B Namespace A

n Router Namespaces

eth0

OpenStack part3

br-ex

br-int

qg

qrqrqg qg

dnsmasq A dnsmasq B

Vlan tag 1 Vlan tag 2

This is simplified for space, if you look at a network node it will look a bit different.

Thank you!

Questions?

Appendixhttps://www.openstack.org/assets/presentation-media/HK-Openstack-Namespaces1-.pdfhttps://docs.docker.com/articles/networking/https://github.com/geekinutah/create_net_namespacehttps://lwn.net/Articles/531114/