Post on 11-Jan-2017
Linux Network Namespaces
(and how they are used in Docker vs OpenStack)
VRF? (kinda)Virtual routing and forwarding (VRF) is a technology included in IP (Internet Protocol) network routers that allows multiple instances of a routing table to exist in a router and work simultaneously. This increases functionality by allowing network paths to be segmented without using multiple devices.
Namespace = VRF++Each Linux namespace has its own set of:/proc/net
connection trackingnetfilter tables and chains (iptables, ebtables,
arptables, …)myriad settings: buffers, window sizing,
congestion tuning, omg, yes, yes, yes!network devicesrouting table
Why?The purpose of the patch series that includes network namespaces is primarily to enable containers. Which just like VMs provide:IsolationResource allocationLightweight++, security-- (when compared to kvm)
Small example in CFull(er) version at : https://github.com/geekinutah/create_net_namespace
// Declarations above skippedstatic char child_stack[1048576];
int use_clone(){ printf("Welcome to your new network namespace!\n"); printf("Here's the new output of 'ip link show'\n"); system("/sbin/ip link show"); printf("\n\n"); system("/bin/bash"); printf("Back to the old namespace.\n");}
int main (int argc, char **argv){ // Lots of code skipped here pid_t child_pid = clone(use_clone, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | SIGCHLD, NULL); waitpid(child_pid, NULL, 0);
return 0;}
Using iproute2# ip netns create testing && echo “We have a new namespace.”We have a new namespace# ls -l /var/run/netns/testing-r--r--r--. 1 root root 0 Aug 27 15:33 /var/run/netns/testing# ip netns exec testing ip link show1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00# ip netns delete testing# ls -l /var/run/netns/total 0
Where is my net namespace#!/bin/bashPID=`pgrep ${@}` # Arg should produce one matchNS=`ls -1 /proc/${PID}/ns/net`
print “${NS} is the file you are looking for”
# What now, symlink $NS to /var/run/netns/a_random_name?# We could also use nsenter?
Docker default mode
Docker “shared” networking
Docker “none” mode
And also...Overlays!!!
(Clouds love them)
OpenStack networkingLots of choices:Open vSwitchLinuxbridgeCommercial (several)Most people use Open vSwitchFreeFeatureful
Neutron + Open vSwitchOverlays (GRE, VXLAN)Provider networksExternal/Floating networksIsolationProgrammable via APIDecent performance and stabilityGood job Neutron developers!!!
OpenStack part 1In OpenStack network namespaces are really used to provide just one thing:
Overlapping IP space
OpenStack part2Two different neutron agents make use of namespaces:neutron-l3-agentneutron-dhcp-agent
eth1
Namespace B Namespace A
n Router Namespaces
eth0
OpenStack part3
br-ex
br-int
qg
qrqrqg qg
dnsmasq A dnsmasq B
Vlan tag 1 Vlan tag 2
This is simplified for space, if you look at a network node it will look a bit different.
Thank you!
Questions?
Appendixhttps://www.openstack.org/assets/presentation-media/HK-Openstack-Namespaces1-.pdfhttps://docs.docker.com/articles/networking/https://github.com/geekinutah/create_net_namespacehttps://lwn.net/Articles/531114/