This post tells how Docker uses network namespace to isolate resources.
The following figure is the lab setup to help you understand the steps visually:
1. Create two network namespaces: ns1 and ns2.
– Add two new naetwork namespaces:
# ip netns add ns1 # ip netns add ns2
The above commands create network space by passing a flag to the clone() system call, CLONE_NEWNT.
– Check the new created ns:
# ip netns list ns2 ns1
When the IP tool creates a network namespace, it will create a bind mount for it under /var/run/netns/ as follows:
# ls /var/run/netns/ ns1 ns2
– List the interfaces visible inside the new created namespaces. You can see after first created, the lo loopback device is down and the route table is blank:
# ip netns exec ns1 ip a 1: lo: [LOOPBACK] mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
# ip netns exec ns2 ip a 1: lo: [LOOPBACK] mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
# ip netns exec ns2 ip route #
2. Create mydocker0 bridge:
– Create mydocker0 Linux bridge under default network namespace:
# brctl addbr mydocker0
# brctl show bridge name bridge id STP enabled interfaces ... mydocker0 8000.000000000000 no ...
# ip a add 172.16.1.254/16 dev mydocker0 # ip link set dev mydocker0 up
# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.182.64.1 0.0.0.0 UG 100 0 0 enp0s3 10.182.64.0 0.0.0.0 255.255.248.0 U 100 0 0 enp0s3 172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 mydocker0 ...
3. Create VETH to connect network namespaces on namespace ns1:
– Setup a pair of virtual Ethernet devices- veth1&veth1p to connect default namespace and namespace ns1:
# ip link add veth1 type veth peer name veth1p
# ip -d link show |grep veth1 6149: veth1p@veth1: [BROADCAST,MULTICAST,M-DOWN] mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000 6150: veth1@veth1p: [BROADCAST,MULTICAST,M-DOWN] mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
– Assing veth1 to mydocker0 and veth1 to namespace ns1:
# brctl addif mydocker0 veth1 # ip link set veth1 up
# brctl show bridge name bridge id STP enabled interfaces docker0 8000.3a6bde86d9e8 no br0 veth890eaea mydocker0 8000.6efa891a7162 no veth1 >>>>>>>> ...
# ip link set veth1p netns ns1 # ip netns exec ns1 ip a 1: lo: [LOOPBACK] mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 6149: veth1p@if6150: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 2a:3b:ea:e3:63:dd brd ff:ff:ff:ff:ff:ff link-netnsid 0
– Change the name of veth1p to eth0:
# ip netns exec ns1 ip link set veth1p name eth0 # ip netns exec ns1 ip a 1: lo: [LOOPBACK] mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 6149: eth0@if6150: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 2a:3b:ea:e3:63:dd brd ff:ff:ff:ff:ff:ff link-netnsid 0
– Assign IP address to eth0 in namespace ns1:
# ip netns exec ns1 ip link set eth0 up # ip netns exec ns1 ip a add 172.16.1.1/16 dev eth0 # ip netns exec ns1 ip route add default via 172.16.1.254 # ip netns exec ns1 ip route default via 172.16.1.254 dev eth0 172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.1.1
4. Follow the same steps on namespace ns2:
# ip link add veth2 type veth peer name veth2p # brctl addif mydocker0 veth2 # ip link set veth2 up # ip link set veth2p netns ns2 # ip netns exec ns2 ip link set veth2p name eth0 # ip netns exec ns2 ip link set eth0 up # ip netns exec ns2 ip addr add 172.16.1.2/16 dev eth0 # ip netns exec ns2 ip route add default via 172.16.1.254
5. Test network connectivity between two namespaces:
# ip netns exec ns1 ping -c 2 172.16.1.2 PING 172.16.1.2 (172.16.1.2) 56(84) bytes of data. 64 bytes from 172.16.1.2: icmp_seq=1 ttl=64 time=0.457 ms 64 bytes from 172.16.1.2: icmp_seq=2 ttl=64 time=0.049 ms --- 172.16.1.2 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1057ms rtt min/avg/max/mdev = 0.049/0.253/0.457/0.204 ms
# ip netns exec ns2 ping -c 2 172.16.1.1 PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data. 64 bytes from 172.16.1.1: icmp_seq=1 ttl=64 time=0.058 ms 64 bytes from 172.16.1.1: icmp_seq=2 ttl=64 time=0.045 ms --- 172.16.1.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1055ms rtt min/avg/max/mdev = 0.045/0.051/0.058/0.009 ms