Introduction to Linux Network Namespaces

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

[deleted]

What is this?

👍︎︎ 3 👤︎︎ u/102381 📅︎︎ Jul 19 2015 🗫︎ replies

This is nicely done, useful for my level of networking knowledge.

👍︎︎ 3 👤︎︎ u/mcstafford 📅︎︎ Jul 19 2015 🗫︎ replies

Very cool to see. I am curious though, is there a BSD equivalent? All I can seem to find is networking using Jails which doesn't entirely appear to be the same thing.

👍︎︎ 2 👤︎︎ u/Blackninja543 📅︎︎ Jul 20 2015 🗫︎ replies

Captions

this video is an introduction to Linux Network namespaces I'll start with a brief definition then I'll jump into two examples of using namespaces a lock through two lab like scenarios that I believe will help make the video more practical you have the option to simply watch the video or you can try the same setup on your own system at home the first example will mimic how many net network emulation handles hosts the second will mimic how OpenStack provides DNS services to tenants the steps I take are all on a single VM running Ubuntu 14.04 with open V switch and the DNS mask service installed references here is a list of references and recommended resources related to this video links to these references are in the video description the network namespaces man page open V switch org mini net org a presentation on mini net done at Stanford by Bob Lantz and Brian O'Connor docks OpenStack org specifically the Neutron documentation and finally open cloud blog coms many Linux networking blog entries what our Linux Network namespaces network namespaces allow there to be multiple isolated Network environments running on a single physical host or a single virtual machine each isolated network environment has its own interfaces routing tables forwarding tables and network security isolation processes can be dedicated to an individual network namespace to separate them from other namespaces network namespaces are used in OpenStack Linux containers docker mini net and more background on mini net the first example using namespaces mimics what mini net does automatically however we will do it in a manual way to learn about network namespaces if you're not already familiar with mini net here is a brief explanation mini ette software allows you to launch custom virtual network topologies all within a single virtual machine or a single physical host its range of applications includes learning testing and teaching about software-defined networking as well as networking in general for more detail what mini net you should go to me net org you can also watch my introduction to mini net video on my youtube channel for the purposes of this video I'll mimic what mini net does to emulate the simplest topology this topology will have two hosts connected together through one instance of open V switch this is done on my single VM the two emulated hosts will have their own network environment thanks to Network namespaces this setup was demonstrated in a presentation by Bob Lantz and Brian O'Connor at a Stanford Network seminar which I'll link to in the video description the route network namespace we start with taking a look at the root namespace this is just the default network environment you see when working on a Linux system this will be kind of like our canvas that we're going to put our virtual network on top of so there's nothing new here yet we will just take a look at my VMs route network namespace before adding new network namespaces to look around I will use some IP route 2 based commands this is instead of using the older net tool space commands like ifconfig route and ARP so in the standard root namespace IP link shows there is just a loopback interface and an e to 0 interface IP address or just IP a shows the e0 interface has an IP address of 192 168 1 102 IP route displays the routing table adding Network namespaces now let's add two new network namespaces each of these namespaces will represent a single host in our network topology IP net NS add read IP net NS add green I've just added two new network namespaces named red and green IP net NS by itself displays those two new namespaces also if we look in the directory slash var slash Ron slash net NS we can see the namespaces listed there as well if you wanted to delete a namespace we'd say de l4 delete instead of add I won't delete the new network name sources here though looking at the logical diagram now we have the two new network namespaces red and green red and greens network environments are isolated both from each other and from the root namespace to look further we can use the IP net a nest egg command show IP net NS exec red IP linked with this can ahead we are simply running the IP link command however instead of running this in the root namespace we are executing it directly in the red namespace in red there is only a loopback interface and it is down checking green as well shows the same situation IP net NS exec green IP link to emulate a simple network in a manner like mignonette does we wanted to connect these namespaces into a virtual switch in this case we will use open V switch our instance of open V switch will be in the root namespace OVS vs kettle or vs CTL a - VAR o vs 1 this starts a new virtual switch that I've named OVS one by the way if you'd like more background about open V switch I recommend going to open V switch org also you can watch my introduction to open V switch video on YouTube channel so we now have OVS 1 we can check that with OVS - vs kettle show IP link shows that in the root namespace the interface OVS 1 has been added checking the diagram again now we have the two namespaces red and green as well as our open V switch instance OVS 1 next is to connect all these together virtual Ethernet interfaces to connect the two namespaces red and green to OVS one we will use Vieth pairs or virtual Ethernet interfaces Vieth pairs act like a pipe anything that goes in one end of the pipe simply comes out the other end we can use beef pairs to cross network namespaces IP link add each zero - our type veeth p ur name Vieth - our this IP link command creates a V pair one end of it I'm choosing to name each 0 - our this end we are going to put into the read namespace the other end of our new veeth pair I've named veeth - our this end will connect to our OVS instance in the root namespace what has happened now is there is this Vieth pair which can be visualized as a pipe at the moment we haven't connected the two ends of it to anything with IP link we can see both ends of the Vieth pair sitting in our root namespace we want to connect one end of this pipe to the read namespace and the other end to our open vswitch instance IP link set y 0 - our net NS read this command places the end named eath - R into the read namespace IPA link shows we can no longer see the interface easy row - are in the root namespace that is because it is now in the network isolated read namespace let's run the command IP link in the read namespace IP net NS exec read IP link here we can see the end of the VTA renamed as ether char is now located in the read namespace now let's connect the other end of our brief pair to OVS OVS BS kettle add port OVS one Vieth - r this OVS - BS kettle command attaches the other end of the beach pattern named Vieth - R - o vs one running OVS vs kettle show we can see there is a Vieth - are attached to OVS 1 now we have the red namespace connected to the Oviatt instance the same thing will be done for the green namespace to connect it to OVS as well IP link add e 0 - G type V peer name Vieth - G this creates another new virtual Ethernet pair or wreath pair one side is named III o - G the other side is named Vieth - G IP link set y 0 - g net NS green this puts the end named ether o - G into the green name space vs vs kettle add port OVS 1 Vieth - g this attaches the end named Vieth - G - o vs 1 now the two namespaces have a path to each other via open V switch configuring interfaces network namespaces now that everything is connected together we need to turn all the interfaces up and we need to assign IP addresses let's start with the link to the red namespace one side of this Aviv pair is on OVS 1 however it is down I'll turn it up with IP link set V R up now we need to work inside the red namespace and execute IP link commands there to turn up loop x0 and e20 - our IP net s exec read IP link set dev l0 up I pee net NS exact read IP link set device eat zero - are up each zero - are needs an IP address IP net NS exact read IP address add 1000 dot 1 / 24 dev easy row - are this assigns the IP address 10.0.0.0 to eat 0 - our IP net NS exec read IPA shows the two interfaces they are up and the expected IP addresses assigned i Panetta exact read IP route shows the read namespace now has a route for 1000 such 24 via its interface easy road are back in the route namespace running IP route shows the route namespace doesn't have any awareness of 10.0.0.0 slash 24 this is as expected since the routing of the read namespace is isolated from the route namespace now we will do the same procedure for the Green namespace except we'll want to assign 10.00 to for it IP link set device Vieth gee-up this turns up the end of the VA attached to o vs 1 now I'll show a bit of a shortcut to work inside the green namespace instead of using the IP net MS exec green command over and over we can simply start a bash shell within the green name space IP net NS exec green bash now we are in the green name space instead of the root name space and can use regular IP commands we no longer have to preface every command with IP net NS exec green IP link set dev L up I peel ink set dev eat zero dash G up these commands turn up the interfaces loopback zero and eat 0-3 in the green namespace finally we assign the IP IP address add 1000 2/24 dev e0g now that each zero - G port has IP 1000 - which you can see with IPA remember that we are working directly in the green namespace since we're an IP net NS exec green bash so to get back to the root namespace we would just type exit final state the final state is there are two network namespaces red and green in the root namespace is an OVS instance named OVS one the green and red namespaces are linked together to OVS one through V pairs OVS one acts as a layer 2 switch enabling connectivity between the two namespaces we can confirm connectivity between red and green with the ping ping 1000 to the end result here is we have two emulated hosts connected through open V switch we can continue this experiment and connect our OVS instance to an SDN controller however for our purposes here which is learning about network namespaces we will leave it at that now we'll move on to our second scenario this one is related to OpenStack we will connect network namespaces without using beef pairs and we will run processes within network name spaces DHCP and OpenStack OpenStack is well known as a popular open source platform to deploy cloud infrastructures here we will mimic one small piece of OpenStack providing DHCP services to tenants in the cloud in the cloud we have individual physical nodes that are responsible for providing many DHCP processes one for each virtual network of every tenant when we have all these DHCP processes running on individual hosts these processes need to be isolated we can use network namespaces for that isolation to mimic this behavior from OpenStack we will build on the previous mini net example keep in mind that in a real OpenStack deployment there would be a hypervisor like a VM and real VMs versus our emulated hosts so we start with the two namespaces red and green which are emulating two hosts VLAN separation first the two namespaces red and green will be isolated from each other in this scenario red and green will represent two different tenants in the cloud since they are both connected to the same open V switch instance VLANs will be used an open V switch to keep them isolated OVS vs Ketel set port V are tagged equals 100 OVS vs Ketel set port Vieth - g tag equals 200 these o vs vs Ketel commands changed VLANs on the two ports connecting to the two namespaces the first one moved port V R to VLAN 100 the second one moved Vieth - G to VLAN 200 looking at the updated diagram we see the namespaces are now isolated by VLANs also we want to remove the current network namespace IP addressing since we will use DHCP instead IP net NS exec read IP address de l 10.00 1/24 dev e0 - char i pianet in s exact green ip-address de l 10.0.0.0 for dev e0g these commands are executed in the respective namespaces and remove the configured IPS ad network namespaces now I'll add two new network namespaces these will host the DHCP processes for our two tenants IP net and s a DHCP - our IP net and s @ DC PG the first namespace DHCP HR will be used for the red tenant the second 1ghz PG will be used for the green tenant open V switch internal ports earlier to connect red and green to open V switch in the root namespace we used Vieth pairs for DHCP HR and DHCP - green namespaces will connect through open V switch internal ports first let's work with the connection to DHCP HR OVS vs kettle ad - port OVS one tap - char this creates a new port named tap - are on OVS hoe vs vs kettle set interface tap - our type equals internal this makes this new port and internal port OVS vs kettle set port tap our tag equals 100 this places the port into VLAN 100 let's set up the port for green OVS vs kettle add - port vs one tap - g creating the port named tap - g OVS vs kettle set interface tap - G type equals internal making the new port of type internal vs vs kettle set port tap - G tag equals 200 putting the port in VLAN 200 OVS vs kettle show confirms our configuration so far there are the two new internal ports named tap - r and tap - G in VLAN 100 and 200 respectively looking at the diagram there are two new internal ports however they are sitting in the root namespace still they need to be moved to the right namespaces IP link set tap - our net NSDAP - are this command moves the port tap - R into the DHCP - our namespace IP link set tap - Ginette NS DHCP - G this command moves the port tap - G into the DHCP G name space IP link in the global namespace confirms we can no longer see DHCP - G and DHCP - are since they've been moved even though we can't see the ports in the root namespace we can still see them on OVS OVS - vs CTL show and here is the updated diagram interface configurations now we will turn up interfaces and assign IP is in the new namespaces deanship PHR and DHCP G let's go directly into the bash shell for the namespace DHCP HR with IP net and s exec DHCP - our bash IP link set dev ello up IP link set dev tap - are up turning up the loopback interface and the tap - our interface in the namespace DHCP - our IP address add 10 50 52 / 24 APR 10 2015 2 24 has been assigned to interface tap - are in the DHCP - our namespace we will do the same for DHCP - g IP net NS exec DHCP - G bash I play links at dev ello up IP link set dev tap - G up IP address at 10.15 at 52 / 24 dev tap ji and adding IP address 10.59 52 to the tap ji interface in dhcp - G note here how I intentionally use the exact same IP addresses in the two namespaces DHCP - G and DHCP - R this is to demonstrate these two environments are isolated from one another and don't interfere this is what one would expect in the cloud environment we want each tenant to use any private IP addressing they care to use and for it to be isolated from other tenants overlapping IPS are fine due to the isolation provided by network name spaces and VLANs running a process in a network namespace finally we want to run DHCP for DHCP we use the DNS mask service we want to have two DNS mask services running one for the red tenant and one for the green tenant these need to be isolated from one another therefore we use the IP net as exec command yet again i Panetta exact DHAP - our DNS mask - - interface equals tap - our - - DHCP range equals 10.50 - 50 10 comma 10.50 - 50 100 comma 255.255.255.0 this starts the NS mask but within the DHCP - our namespace DNS mask runs on the tap - our interface and uses a pool in this range now the exact same command again except it is in the DHCP - G namespace so we'll make those changes here I've now started to DNS mask processes that are using the same range of IPs for a DHCP pool however that are isolated from one another the first process is running in the DHCP - our namespace the second in the DHCP - G namespace we can actually validate this by the process IDs PS - EF shows pidz 3162 and 3165 for the - dns mask processes IP nettan s identify three one six two shows process 3 1 6 - is in the DHCP - our names face as expected and IP net NS identified 3 165 shows that the Pitt 3 165 is in the DHCP - G name space also as expected let's see that this all worked alright by pulling IPS for our clients first for the red name space IP net NS exec read D H client eg row - our this seems to have completed i Panetta Ness exec read IPA shows we indeed have received an IP address assigned by the Dean asked mass service for the red tenant now the same for the green tenant again we see this has worked check out the diagram to see that DNS mask is now running in two different namespaces and our emulated tenants red and green we're able to receive IP addresses by isolated DHCP processes final review I'll close now with the final review of what has been discussed this should help solidify all the concepts you walk through in this video before that final review a request for you the viewer if you found this video to be helpful please subscribe to this channel for more like it also to contact me directly I can be found out linkedin.com /i n slash David Muller review this video covered Linux Network namespaces and describe some ways they can be used first we mimicked how many net builds emulated Network topologies I created two isolated Network namespaces red and green we created virtual Ethernet or Vieth pairs to connect these namespaces through an OVS instance running in the root namespace we turned up interfaces and assigned IP addresses in the namespaces then we demonstrated reach ability between red and green we also saw that the root namespace had no knowledge of the layer 3 addressing used by the network namespaces after this we mimicked how OpenStack provides DHCP services to tenants in the cloud we turned our namespaces red and green into isolated environments by assigning VLANs on the OVS side of the Vieth pairs then two new namespaces recruited to host two isolated dhcp processes these namespaces were connected to OVS by creating OVS internal ports moving those ports to the appropriate VLANs and finally by moving these ports directly into respective namespaces lastly it was demonstrated that the tenants were able to acquire IP addresses from separated DNS mask processes running in individual network namespaces that wraps up this video and thank you for watching

Info

Channel: David Mahler

Views: 89,883

Rating: 4.9737706 out of 5

Keywords: open vswitch, linux network namespace, namespace, David Mahler, mininet, OpenStack, dnsmasq, dhcp, network namespace, ovs

Id: _WgUwUf1d34

Channel Id: undefined

Length: 25min 51sec (1551 seconds)

Published: Wed Jul 01 2015