-
Notifications
You must be signed in to change notification settings - Fork 2
Network namespace
hello and welcome to this video in this
video we get introduced to network
namespaces in Linux at the end of this
section you will go through a practice
test where you are given a set of
challenges related to network namespaces
and you will practice solving them on a
live practical hands-on lab environment
well before we get started don't forget
to subscribe to my channel for more
videos like this Network names phases
are used by containers like docker to
implement network isolation we'll start
with a simple host as we know already
containers are separated from the
underlying host using namespaces so what
are namespaces if your host was your
house then namespaces are the rooms
within the house that you assigned to
each of your children the room helps in
providing privacy to each child each
child can only see what's within his or
her room they cannot see what happens
outside their room as far as they're
concerned they're the only person living
in the house however as a parent you
have visibility into all the rooms in
the house as well as other areas of the
house if you wish you can establish
connectivity between two rooms in the
house when you create a container you
want to make sure that it is isolated
that it does not see any other processes
on the host or any other containers so
we create a special room for it on our
host using a namespace as far as the
container is concerned it only sees the
processes run by it and thinks that it
is on its own host the underlying host
however has visibility into all of the
processes including those running inside
the containers this can be seen when you
list the processes from within the
container you see a single process with
the process ID of one when you list the
same processes as a root user from the
underlying host you see all the other
processes along with the process running
inside the container this time with a
different process ID it's the same
process
running with different process IDs
inside and outside the container that's
how name
spaces work when it comes to networking
our host has its own interfaces that
connect to the local area network our
host has its own routing and arc tables
with information about rest of the
network we want to seal all of those
details from the container when the
container is created we create a network
namespace for it that way it has no
visibility to any network related
information on the host within its
namespace the container can have its own
virtual interfaces routing and arc
tables the container has its own
interface to create a new network
namespace on a Linux host run the IP
nest NS add command in this case we
create two network namespaces to list
the network namespaces run the IP net NS
command to list the interfaces on my
host I run the IP link command I see
that my host has the loopback interface
and the 8/0 interface now how do we view
the same within the network namespace
that we created how do we run the same
command within the red or blue namespace
prefix the command with the command IP
net NS exec followed by the namespace
name which is red now the IP link
command will be executed inside the red
namespace another way to do it is to add
the - an option to the original IP link
command both of these are the same the
second one is similar but remember this
only works if you intend to run the IP
command inside the namespace as you can
see it only lists the loopback interface
you cannot see the it 0 interface on the
host
so with namespaces we have successfully
prevented the container from seeing the
hosts interface the same is true with
the ARP table if you run the ARP command
on the host you see a list of entries
but if you run it inside the container
you see no entries and the same for
routing table now as of now these
network namespaces have no network
connectivity
they have no interfaces of their own and
they cannot see the underlying hosts
Network let's first look at establishing
connectivity between the namespaces
themselves just like how we will connect
to physical machines together using a
able to an Ethernet interface on each
machine you can connect to namespaces
together using a virtual Ethernet pair
or a virtual cable it's often referred
to as a pipe but I'd like to call it a
virtual cable with two interfaces on
either ends to create the cable run the
IP link add command with a type set two
V's and specify the two ends we eat
right and V blue the next step is to
attach each interface to the appropriate
namespace use the command IP link set we
eat red as NS red to do that similarly
attach the blue interface to the blue
namespace we can then assign IP
addresses to each of these namespaces we
will use the usual IP LED our command to
assign the IP address but within each
namespace we will assign the red
namespace and IP 192.168.15.1 we then
assign the blue namespace an IP 192.168.
15.2 we then bring up the interface
using the IP link set up command for
each device within the respective
namespaces the links are up and the
namespaces can now reach each other try
a ping from the red namespace to reach
the IP of the blue if you look at the
ARP table on the red namespace you see
it's identified it's blue neighbour at
192.168.15.2 with a MAC address
similarly if you list the ARP table on
the blue namespace you see it's
identified it's the red neighbour if you
compare this with the ARP table of the
host you see that the host ARP table has
no idea about this new namespaces we
have created and no idea about the
interfaces we created in them now that
worked when you had just two namespaces
what do you do when you have more of
them how do you enable all of them to
communicate with each other just like in
the physical world you create a virtual
network inside your hosts create a
network you need a switch so to create a
virtual network you need a virtual
switch so you create a virtual switch
within our host and connect the
namespaces to it but how do you create a
virtual switch within a host there are
multiple solutions available such as the
native solution called as Linux bridge
and the open V switch etc in this
example we will use the Linux bridge
option to
an internal bridge network we add a new
interface to the host using the IP link
add command with the type set to bridge
we will name it V net 0 as far as our
host is concerned it is just another
interface just like the 8-0 interface it
appears in the output of the IP link
command along with the other interfaces
it's currently down so you need to turn
it up use the IP link set dev up command
to bring it up now for the namespaces
this interface is like a switch that it
can connect to so think of it as an
interface for the host and a switch for
the namespaces so the next step is to
connect the namespaces to this new
virtual network switch earlier we
created the cable or the each pair with
the ve thread interface on one end and
blue interface on the other because we
wanted to connect the two namespaces
directly now we will be connecting all
namespaces to the bridge network so we
need new cables for that purpose this
cable doesn't make sense anymore so we
will get rid of it use the IP link
delete command to delete the cable when
you delete the link with one end the
other end gets deleted automatically
since they are a pair let us now create
new cables to connect the namespaces to
the bridge run the IP link add command
and create a pair with we either red on
one end like before but this time the
other end will be named we eat red BR as
it connects to the bridge network this
naming convention will help us easily
identify the interfaces that associate
to the red namespace similarly create a
cable to connect the blue namespace to
the bridge network now that we have the
cables ready it's time to get them
connected to the namespaces to attach
one end of this of the interface to the
red namespace run the IP link set we eat
red net NS read command to attach the
other end to the bridge network run the
IP link set command on the ve red PR end
and specify the master for it as the V
net zero network follow the same
procedure to attach the blue cable to
the blue namespace and the bridge
network
let us now set IP addresses for these
links and turn them up we will use the
same IP addresses
that we used before 192.168.15.1 and 192
dot 168 or 15.2 and finally turned the
devices up the containers can now reach
each other over the network so we follow
the same procedure to connect the
remaining two namespaces to the same
network
we now have all four namespaces
connected to our internal bridge network
and they can all communicate with each
other they have all I P addresses 192
168 15.1 2 3 & 4 and remember we
assigned our host the IP 192.168.1.2
from my host what if I try to reach one
of these interfaces in these namespaces
will it work now my host is on one
network and the namespaces are on
another but what if I really want to
establish connectivity between my host
and these namespaces remember we said
that the bridge switch is actually a
network interface for the host so we do
have an interface on the 192.168.15
network on our host since this just
another interface all we need to do is
assign an IP address to it so we can
reach the namespaces through it run the
IP addr command to set the IP one ninety
two.one sixty eight.15.5 to this
interface we can now ping the read
namespace from our local host now
remember this entire network is still
private and restricted within the host
from within the namespaces you can't
reach the outside well nor can anyone
from the outside world reach the
services or applications hosted inside
the only door to the outside world is
the Ethernet port on the host so how do
we configure this bridge to reach the
LAN network through the Ethernet port
say there is another host attached to
our relay network with the address 192
168 1.3 how can I reach this host from
within my namespaces what happens if I
try to ping this host from my dual
namespace the blue namespace sees that I
am trying to reach a network at 192.168.
of 1 which is different from my current
network of 192.168 or 15 so it looks
at its routing table to see how to find
that network the routing table has no
information about other network so it
comes back saying that the network is
unreachable so we need to add an entry
into the road
table to provide a gateway or door to
the outside world so how do we find that
gateway a door or a gateway as we
discussed before is a system on the
local network that connects to the other
network so what is a system that has one
interface on the network local to the
blue namespace which is the 192.168.dot
50 network and is also connected to the
outside LAN network here's a logical
view it's the local host that have all
these namespaces on so you can ping the
namespaces remember our local host has
an interface to attach the private
network so you can ping the namespaces
so our local host is the gateway that
connects the two networks together we
can now add a row entry in the blue
namespace to say route all traffic to
the 192.168.1 network through the
Gateway at 192.168.15.5 now remember our
host has two IP addresses one on the
first network at 192.168.15.5 and
another on the external network at 102
168 1.2 can you use any in the route no
because the blue namespace can only
reach the gateway in its local network
at 192.168.15.5 the default gateway
should be reachable from your namespace
when you add it to your room when you
try to ping now you no longer get the
network unreachable message what you
still don't get any response back from
the ping what might be the problem we
talked about a similar situation in one
of our earlier lectures where from our
home network we try to erase the
external internet through our router our
home network has our internal private IP
addresses that the destination network
don't know about so they cannot reach
back for this we need not enable on our
hosts acting as a gateway here so that
it can send the messages to the LAN in
its own name with its own address so how
do we add NAT functionality to our hosts
you should do that using IP tables add a
new rule in the NAT IP table in the post
routing chain to masquerade or replace
the from address on all packets coming
from the source network 192.168 or
15.0 with its own IP address that way
anyone receiving these packets outside
the network will think that they're
coming
the host and not from within the
namespaces when we try to ping now we
see that we are able to reach the
outside world finally say the LAN is
connected to the Internet we want the
namespaces to reach the internet so we
try to ping a server on the Internet at
a da-da-da-da-da a from the blue
namespace you will receive a familiar
message that the network is unreachable
by now we know why that is we look at
the routing table and see that we have
roads to the network 182 168 one but not
to anything else since these namespaces
can reach any network our host can reach
we can simply say that to reach any
external network talk to our host so we
add a default gateway specifying our
host we should now be able to reach the
outside world from within these
namespaces
now what about connectivity from the
outside world to inside the namespaces
say for example the blue namespace hosts
a web application on port 80 as of now
the namespaces are on an internal
private network and no one from the
outside world knows about that we can
only access these from the host itself
if you try to ping the private IP of the
namespace from another host on another
network you will see that it's not
reachable obviously because that host
doesn't know about this private network
in order to make that communication
possible you have two options the two
options that we saw in the previous
lecture on that the first is to give
away the identity of the private network
to the second host so we basically add
an IP route entry to the second host
telling the host that the network 192.168.15 can be reached through the
host at 192.168.1.2 but we don't
want to do that the other option is to
add a port forwarding role using IP
tables to say any traffic coming to port
80 on the local host is to be forwarded
to port 80 on the IP assigned to the
blue namespace.