Network Namespace

👉 Overview

👀 What ?

The Linux Network Namespace is a feature of the Linux kernel that isolates network resources for a collection of processes. It is essentially a virtual network stack that includes its own routes, firewall rules, and network devices.

🧐 Why ?

Network namespaces are extremely important for providing process-level network isolation, which is a key aspect of containerization. It allows processes within the namespace to have their own private network stack, separate from other namespaces. This means that applications can run in a completely isolated network environment, without being able to interfere with each other. This is also crucial for security, as it restricts the network access of processes, reducing the attack surface.

⛏️ How ?

To create a new network namespace, you use the 'ip netns' command. For example, 'ip netns add mynamespace' creates a new namespace called 'mynamespace'. You can then run processes within this namespace by using the 'ip netns exec' command. For example, 'ip netns exec mynamespace somecommand' runs 'somecommand' in the 'mynamespace' network namespace.

⏳ When ?

Network namespaces were introduced in Linux kernel 2.6.24, which was released in 2008. They have since become a fundamental part of Linux container technologies like Docker and Kubernetes.

⚙️ Technical Explanations

A network namespace is a virtual replication of the network stack, including its own network devices, routing tables, and firewall rules. It's represented by a 'struct net' in the Linux kernel. When a process is created, it's associated with a namespace and all its network operations are performed within that namespace.

This association allows for process-level network isolation, which is a key aspect of containerization. Each process within a namespace has its own private network stack, separate from other namespaces. As a result, applications can run in a completely isolated network environment, without interfering with each other. This isolation also enhances security by restricting network access of processes, thereby reducing potential attack surfaces.

Creating a new network namespace requires the 'ip netns' command. For instance, 'ip netns add mynamespace' creates a new namespace named 'mynamespace'. To run processes within this namespace, the 'ip netns exec' command is used, such as 'ip netns exec mynamespace somecommand' which runs 'somecommand' in the 'mynamespace' network namespace.

Network namespaces were introduced in Linux kernel 2.6.24, released in 2008, and have since become a fundamental part of Linux container technologies like Docker and Kubernetes.

To control a process's network environment, you can change its namespace using the setns() system call. This function changes the network namespace of the calling process.

Let's walk through a detailed example of creating a new network namespace and running a process within it.

  1. First, create a new network namespace using the command ip netns add mynamespace.
$ ip netns add mynamespace

This command creates a new network namespace named 'mynamespace'.

  1. Verify the creation of new namespace by listing all the network namespaces.
$ ip netns list
mynamespace

This command lists all the available network namespaces. You should be able to see 'mynamespace' in the list.

  1. Now, let's run a process within this namespace, using the ip netns exec command. We'll run the ip addr command which shows the network configuration.
$ ip netns exec mynamespace ip addr

This command runs the ip addr command in the 'mynamespace' network namespace. The output shows the network configuration for 'mynamespace'.

  1. To control a process's network environment, you can change its namespace using the setns() system call. This function changes the network namespace of the calling process. It's not directly used on the command line but typically used in a program. Here is an example in C:
#define _GNU_SOURCE
#include <sched.h>
#include <fcntl.h>
#include <unistd.h>

int main() {
   int fd = open("/var/run/netns/mynamespace", O_RDONLY);  // open the namespace
   setns(fd, CLONE_NEWNET);  // set the network namespace
   close(fd);
   execlp("ip", "ip", "addr", NULL);  // execute the command in the new namespace
}

This program opens the 'mynamespace' network namespace, changes to it using setns(), and then runs the ip addr command in 'mynamespace'.

  1. Delete the created namespace once you are done using it.
$ ip netns delete mynamespace

This command deletes the 'mynamespace' network namespace.

Remember, network namespace is a powerful feature for providing process-level network isolation, enhancing security, and is a key aspect for containerization technologies like Docker and Kubernetes.

We use cookies

We use cookies to ensure you get the best experience on our website. For more information on how we use cookies, please see our cookie policy.