Network Namespaces Basics Explained in 15 Minutes

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome to this video in this video we get introduced to network namespaces in Linux at the end of this section you will go through a practice test where you are given a set of challenges related to network namespaces and you will practice solving them on a live practical hands-on lab environment well before we get started don't forget to subscribe to my channel for more videos like this Network names phases are used by containers like docker to implement network isolation we'll start with a simple host as we know already containers are separated from the underlying host using namespaces so what are namespaces if your host was your house then namespaces are the rooms within the house that you assigned to each of your children the room helps in providing privacy to each child each child can only see what's within his or her room they cannot see what happens outside their room as far as they're concerned they're the only person living in the house however as a parent you have visibility into all the rooms in the house as well as other areas of the house if you wish you can establish connectivity between two rooms in the house when you create a container you want to make sure that it is isolated that it does not see any other processes on the host or any other containers so we create a special room for it on our host using a namespace as far as the container is concerned it only sees the processes run by it and thinks that it is on its own host the underlying host however has visibility into all of the processes including those running inside the containers this can be seen when you list the processes from within the container you see a single process with the process ID of one when you list the same processes as a root user from the underlying host you see all the other processes along with the process running inside the container this time with a different process ID it's the same process running with different process IDs inside and outside the container that's how name spaces work when it comes to networking our host has its own interfaces that connect to the local area network our host has its own routing and arc tables with information about rest of the network we want to seal all of those details from the container when the container is created we create a network namespace for it that way it has no visibility to any network related information on the host within its namespace the container can have its own virtual interfaces routing and arc tables the container has its own interface to create a new network namespace on a Linux host run the IP nest NS add command in this case we create two network namespaces to list the network namespaces run the IP net NS command to list the interfaces on my host I run the IP link command I see that my host has the loopback interface and the 8/0 interface now how do we view the same within the network namespace that we created how do we run the same command within the red or blue namespace prefix the command with the command IP net NS exec followed by the namespace name which is red now the IP link command will be executed inside the red namespace another way to do it is to add the - an option to the original IP link command both of these are the same the second one is similar but remember this only works if you intend to run the IP command inside the namespace as you can see it only lists the loopback interface you cannot see the it 0 interface on the host so with namespaces we have successfully prevented the container from seeing the hosts interface the same is true with the ARP table if you run the ARP command on the host you see a list of entries but if you run it inside the container you see no entries and the same for routing table now as of now these network namespaces have no network connectivity they have no interfaces of their own and they cannot see the underlying hosts Network let's first look at establishing connectivity between the namespaces themselves just like how we will connect to physical machines together using a able to an Ethernet interface on each machine you can connect to namespaces together using a virtual Ethernet pair or a virtual cable it's often referred to as a pipe but I'd like to call it a virtual cable with two interfaces on either ends to create the cable run the IP link add command with a type set two V's and specify the two ends we eat right and V blue the next step is to attach each interface to the appropriate namespace use the command IP link set we eat red as NS red to do that similarly attach the blue interface to the blue namespace we can then assign IP addresses to each of these namespaces we will use the usual IP LED our command to assign the IP address but within each namespace we will assign the red namespace and IP 192 168 15.1 we then assign the blue namespace an IP 192 168 15.2 we then bring up the interface using the IP link set up command for each device within the respective namespaces the links are up and the namespaces can now reach each other try a ping from the red namespace to reach the IP of the blue if you look at the ARP table on the red namespace you see it's identified it's blue neighbour at 192 168 15.2 with a MAC address similarly if you list the ARP table on the blue namespace you see it's identified it's the red neighbour if you compare this with the ARP table of the host you see that the host ARP table has no idea about this new namespaces we have created and no idea about the interfaces we created in them now that worked when you had just two namespaces what do you do when you have more of them how do you enable all of them to communicate with each other just like in the physical world you create a virtual network inside your hosts create a network you need a switch so to create a virtual network you need a virtual switch so you create a virtual switch within our host and connect the namespaces to it but how do you create a virtual switch within a host there are multiple solutions available such as the native solution called as Linux bridge and the open V switch etc in this example we will use the Linux bridge option to an internal bridge network we add a new interface to the host using the IP link add command with the type set to bridge we will name it V net 0 as far as our host is concerned it is just another interface just like the 8-0 interface it appears in the output of the IP link command along with the other interfaces it's currently down so you need to turn it up use the IP link set dev up command to bring it up now for the namespaces this interface is like a switch that it can connect to so think of it as an interface for the host and a switch for the namespaces so the next step is to connect the namespaces to this new virtual network switch earlier we created the cable or the each pair with the ve thread interface on one end and blue interface on the other because we wanted to connect the two namespaces directly now we will be connecting all namespaces to the bridge network so we need new cables for that purpose this cable doesn't make sense anymore so we will get rid of it use the IP link delete command to delete the cable when you delete the link with one end the other end gets deleted automatically since they are a pair let us now create new cables to connect the namespaces to the bridge run the IP link add command and create a pair with we either red on one end like before but this time the other end will be named we eat red BR as it connects to the bridge network this naming convention will help us easily identify the interfaces that associate to the red namespace similarly create a cable to connect the blue namespace to the bridge network now that we have the cables ready it's time to get them connected to the namespaces to attach one end of this of the interface to the red namespace run the IP link set we eat red net NS read command to attach the other end to the bridge network run the IP link set command on the ve red PR end and specify the master for it as the V net zero network follow the same procedure to attach the blue cable to the blue namespace and the bridge network let us now set IP addresses for these links and turn them up we will use the same IP addresses that we used before 192 168 15.1 and 192 dot 168 or 15.2 and finally turned the devices up the containers can now reach each other over the network so we follow the same procedure to connect the remaining two namespaces to the same network we now have all four namespaces connected to our internal bridge network and they can all communicate with each other they have all I P addresses 192 168 15 dot 1 2 3 & 4 and remember we assigned our host the IP 192 168 1 dot 2 from my host what if I try to reach one of these interfaces in these namespaces will it work now my host is on one network and the namespaces are on another but what if I really want to establish connectivity between my host and these namespaces remember we said that the bridge switch is actually a network interface for the host so we do have an interface on the 192 168 15 network on our host since this just another interface all we need to do is assign an IP address to it so we can reach the namespaces through it run the IP addr command to set the IP one ninety two dot one sixty eight dot 15.5 to this interface we can now ping the read namespace from our local host now remember this entire network is still private and restricted within the host from within the namespaces you can't reach the outside well nor can anyone from the outside world reach the services or applications hosted inside the only door to the outside world is the Ethernet port on the host so how do we configure this bridge to reach the LAN network through the Ethernet port say there is another host attached to our relay network with the address 192 168 1.3 how can I reach this host from within my namespaces what happens if I try to ping this host from my dual namespace the blue namespace sees that I am trying to reach a network at 192 168 of 1 which is different from my current network of 192 dot 168 or 15 so it looks at its routing table to see how to find that network the routing table has no information about other network so it comes back saying that the network is unreachable so we need to add an entry into the road table to provide a gateway or door to the outside world so how do we find that gateway a door or a gateway as we discussed before is a system on the local network that connects to the other network so what is a system that has one interface on the network local to the blue namespace which is the 192 168 dot 50 network and is also connected to the outside LAN network here's a logical view it's the local host that have all these namespaces on so you can ping the namespaces remember our local host has an interface to attach the private network so you can ping the namespaces so our local host is the gateway that connects the two networks together we can now add a row entry in the blue namespace to say route all traffic to the 192 168 1 network through the Gateway at 192 168 15.5 now remember our host has two IP addresses one on the first network at 192 168 15.5 and another on the external network at 102 168 1.2 can you use any in the route no because the blue namespace can only reach the gateway in its local network at 192 168 15.5 the default gateway should be reachable from your namespace when you add it to your room when you try to ping now you no longer get the network unreachable message what you still don't get any response back from the ping what might be the problem we talked about a similar situation in one of our earlier lectures where from our home network we try to erase the external internet through our router our home network has our internal private IP addresses that the destination network don't know about so they cannot reach back for this we need not enable on our hosts acting as a gateway here so that it can send the messages to the LAN in its own name with its own address so how do we add NAT functionality to our hosts you should do that using IP tables add a new rule in the NAT IP table in the post routing chain to masquerade or replace the from address on all packets coming from the source network 192 dot 168 or 15.0 with its own IP address that way anyone receiving these packets outside the network will think that they're coming the host and not from within the namespaces when we try to ping now we see that we are able to reach the outside world finally say the LAN is connected to the Internet we want the namespaces to reach the internet so we try to ping a server on the Internet at a da-da-da-da-da a from the blue namespace you will receive a familiar message that the network is unreachable by now we know why that is we look at the routing table and see that we have roads to the network 182 168 one but not to anything else since these namespaces can reach any network our host can reach we can simply say that to reach any external network talk to our host so we add a default gateway specifying our host we should now be able to reach the outside world from within these namespaces now what about connectivity from the outside world to inside the namespaces say for example the blue namespace hosts a web application on port 80 as of now the namespaces are on an internal private network and no one from the outside world knows about that we can only access these from the host itself if you try to ping the private IP of the namespace from another host on another network you will see that it's not reachable obviously because that host doesn't know about this private network in order to make that communication possible you have two options the two options that we saw in the previous lecture on that the first is to give away the identity of the private network to the second host so we basically add an IP route entry to the second host telling the host that the network 192 168 or 15 can be reached through the host at 192 168 1 dot 2 but we don't want to do that the other option is to add a port forwarding role using IP tables to say any traffic coming to port 80 on the local host is to be forwarded to port 80 on the IP assigned to the blue namespace well the set for this video thank you for watching head over to the practice labs to practice what you learned here and don't forget to subscribe [Music] you
Info
Channel: KodeKloud
Views: 47,809
Rating: 4.9752169 out of 5
Keywords: Linux, network namespaces in linux, linux namespaces explained, namespaces explained, namespaces in network programming, Introducing Linux Network Namespaces, network namespaces, network, namespace, containers, namespaces, what is namespace, namespaces in devops, network namespace in kubernetes
Id: j_UUnlVC2Ss
Channel Id: undefined
Length: 15min 31sec (931 seconds)
Published: Mon May 20 2019
Related Videos
Container Network Interface (CNI) Explained in 7 Minutes
KodeKloud
33K
Introduction to Linux Network Namespaces
David Mahler
89K
Cgroups, namespaces, and beyond: what are containers made from?
Docker
155K
Kubernetes Services explained | ClusterIP vs NodePort vs LoadBalancer vs Headless Service
TechWorld with Nana
137K
Docker for Beginners: Full Free Course!
KodeKloud
684K
Introduction to Open vSwitch (OVS)
David Mahler
309K
Kubernetes Namespaces Explained in 15 mins | Kubernetes Tutorial 21
TechWorld with Nana
59K
What's in a Name? - Linux Namespaces
DJ Ware
4.7K
OAuth 2.0 and OpenID Connect (in plain English)
OktaDev
1M
Terraform for DevOps Beginners + Labs: Complete Step by Step Guide!
KodeKloud
129K
Networking with Kubernetes
VMware Cloud Native Apps
175K
How Docker Works - Intro to Namespaces
LiveOverflow
103K
Kubernetes Architecture Simplified | K8s Explained in 10 Minutes
KodeKloud
241K
Container Networking From Scratch - Kristen Jacobs, Oracle
CNCF [Cloud Native Computing Foundation]
36K
Docker Internals Session1: Introduction to Containers and Docker (cgroups & Namespaces)
TheITNoob
9.9K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.