Linux Network Namespace – WILT
In the next installment of “What I learnt today” or WILT, I briefly touch upon Network Namespace. I came across Namespace as part of my ongoing study of OpenStack networking. Namespaces are powerful constructs in Linux that allows you to create a copy of the TCP/IP network stack -all the way from the Ethernet interfaces (L2), routing tables etc.
This concept of supporting multiple instances of routing tables, networking devices is not very new. Most networking hardware vendors have supported the concept, albeit with different names such as “virtual routing and forwarding” or VRF. In Linux, the namespace concept is supported by “ip netns” command.
Why do we need namespace? -The cloud scenario
In private enterprises and even in our homes, we tend to use private IP addresses such as 192.168.XXX.XX. In a cloud environment (especially multi-tenancy), it is possible that more than one users use IP addresses that overlap with each other. It is important that cloud infrastructure services such as OpenStack allow overlapping IP addresses to co-exist without any problems. In OpenStack, Neutron uses Network Namespaces to provide the isolation between overlapping IP addresses.
Namespace in OpenStack
In OpenStack, users (Tenants) can create their “networks” with a IP range (subnet). Then they can create Virtual machine instances and associate them to this IP subnet. As part of these steps, a DHCP server is started for each network or subnet. The role of the DHCP server is to supply IP addresses and other useful infromation for their respective virtual machines. The picture below describes this scenario.
The DHCP server is started on the “network node” in OpenStack -using dnsmasq program. And to support multiple networks, multiple dnsmasq processes need to be started on the same network node, and that too with different IP addresses. This is accomplished using network namespace.
Here is the snippet of code from OpenStack Neutron source code for DHCP. In the spawn_process function, we can see at the end that netns command is used to start the dnsmasq process. The “cmd” variable is constructed using dnsmasq.
The ip netns command
One interesting tip about ip netns command is that the “exec” sub-command lets you execute a specific “shell” command on the specified namespace. With _ip netns exec bash, you can get a shell prompt specifically for the namespace. This will be useful in troubleshootign any networking problems. Commands and programs executed under the “exec” sub-command are aware of the “isolate namespace” only.