Why learn a network namespace
Name space
Many containers and virtualization technologies are dependent on the network namespace.
Typical representatives of container virtualization technologies such as LXC, Docker. Neutron also uses the Linux network namespace.
When virtual switches, such as virtual switches, Virtual Switch openvswitch, are installed.
An introduction
Starting with the Linux 2.6.24 kernel, Linux supports 6 different types of namespaces. They occur so that user-created processes can be separated from the system more thoroughly, eliminating the need for more underlying virtualization technologies.
CLONE_NEWIPC: A namespace for interprocess communication (IPC) that can separate SYSTEMV IPC and POSIX Message Queuing.
Clone_newpid: Process namespace. The PID in the space is allocated independently, meaning that the virtual PID inside the namespace may conflict with the PID outside the namespace, so that the PID in the namespace is mapped outside the namespace using a different PID. For example, the first PID in a namespace is 1, and outside of the namespace, the PID is already used by the INIT process.
Clone_newnet: A network namespace that isolates network resources (/proc/net, IP addresses, network cards, routes, and so on). A background process can run on the same port within a different namespace, and the user can also virtualize a network card.
Clone_newns: Mount the namespace, the process runtime can separate the mount point from the system, when using this function, we can achieve the chroot function, and in the security aspect is higher than chroot.
The primary purpose of the Clone_newuts:uts namespace is to independently host name and network Information Service (NIS).
Clone_newuser: User namespace, like the process ID, the user ID and group ID are not the same inside and outside the namespace, and the same ID can exist within different namespaces.
In the professional network world, it is common to use virtual routes for long periods of time and to forward VRF Routing Forwarding. Cisco, alcatel-lucent, juniper, etc. are supporting this technology. In the L2 Exchange world, the concept of VLANs has been used since the late 90. A physical switch supports multiple broadcast domains. Most switches support up to 4k Vlans.
This idea has been adopted in the L3 world. Many network devices now support VRF. This means that multiple virtual routers (three-tier forwarding instances) can be run on a single physical device.
In the Linux world, the VRF of the professional network world has been given the name "Network namespace". In Linux, there are other namespaces available (such as the Mount namespace ...). )。 The acticle on the http://lwn.net/Articles/531114/have more details.
Each network namespace has its own routing table, and its own iptables settings provide NAT and filtering. The Linux network namespace also provides the ability to run processes within a network namespace.
But why would anyone use this feature? Consider firewalls that run on Linux systems. You should assign all the service interfaces of the firewall to the network namespace. After that, the default network namespace and firewall network namespace are running different routing tables. Applications such as SSH are available only in the default namespace, but not in the firewall namespace. And you can use the same IP address in each namespace without any interference-but be aware of the L2 layer!
Reference Links:
https://lwn.net/Articles/531114/
Http://www.opencloudblog.com/?p=42
Network Virtualization Foundation One: Linux namespace namespaces