Linux Network Namespaces (and how they are used in Docker vs OpenStack)
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Linux Network Namespaces
(and how they are used in Docker vs OpenStack)
VRF? (kinda)Virtual routing and forwarding (VRF) is a technology included in IP (Internet Protocol) network routers that allows multiple instances of a routing table to exist in a router and work simultaneously. This increases functionality by allowing network paths to be segmented without using multiple devices.
Namespace = VRF++Each Linux namespace has its own set of:/proc/net
connection trackingnetfilter tables and chains (iptables, ebtables,
arptables, …)myriad settings: buffers, window sizing,
congestion tuning, omg, yes, yes, yes!network devicesrouting table
Why?The purpose of the patch series that includes network namespaces is primarily to enable containers. Which just like VMs provide:IsolationResource allocationLightweight++, security-- (when compared to kvm)
Small example in CFull(er) version at : https://github.com/geekinutah/create_net_namespace
// Declarations above skippedstatic char child_stack[1048576];
int use_clone(){ printf("Welcome to your new network namespace!\n"); printf("Here's the new output of 'ip link show'\n"); system("/sbin/ip link show"); printf("\n\n"); system("/bin/bash"); printf("Back to the old namespace.\n");}
int main (int argc, char **argv){ // Lots of code skipped here pid_t child_pid = clone(use_clone, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | SIGCHLD, NULL); waitpid(child_pid, NULL, 0);
return 0;}
Using iproute2# ip netns create testing && echo “We have a new namespace.”We have a new namespace# ls -l /var/run/netns/testing-r--r--r--. 1 root root 0 Aug 27 15:33 /var/run/netns/testing# ip netns exec testing ip link show1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00# ip netns delete testing# ls -l /var/run/netns/total 0
Where is my net namespace#!/bin/bashPID=`pgrep ${@}` # Arg should produce one matchNS=`ls -1 /proc/${PID}/ns/net`
print “${NS} is the file you are looking for”
# What now, symlink $NS to /var/run/netns/a_random_name?# We could also use nsenter?
Docker default mode
Docker “shared” networking
Docker “none” mode
And also...Overlays!!!
(Clouds love them)
OpenStack networkingLots of choices:Open vSwitchLinuxbridgeCommercial (several)Most people use Open vSwitchFreeFeatureful
Neutron + Open vSwitchOverlays (GRE, VXLAN)Provider networksExternal/Floating networksIsolationProgrammable via APIDecent performance and stabilityGood job Neutron developers!!!
OpenStack part 1In OpenStack network namespaces are really used to provide just one thing:
Overlapping IP space
OpenStack part2Two different neutron agents make use of namespaces:neutron-l3-agentneutron-dhcp-agent
eth1
Namespace B Namespace A
n Router Namespaces
eth0
OpenStack part3
br-ex
br-int
qg
qrqrqg qg
dnsmasq A dnsmasq B
Vlan tag 1 Vlan tag 2
This is simplified for space, if you look at a network node it will look a bit different.
Thank you!
Questions?
Appendixhttps://www.openstack.org/assets/presentation-media/HK-Openstack-Namespaces1-.pdfhttps://docs.docker.com/articles/networking/https://github.com/geekinutah/create_net_namespacehttps://lwn.net/Articles/531114/
Related Documents
