[Container from scratch] Part 1: Configure point-to-point net namespaces

Exploring one of the most-used Linux namespaces: the net namespace

What are we building here ?

2 Linux net namespaces connecting to each other

Create 2 net namespaces

ip netns add red
ip netns add blue

# View created ns
ip netns

Compare links in new namespace and host

View ip links in host :

ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:15:5d:85:bc:44 brd ff:ff:ff:ff:ff:ff

View ip links in red namespace:

ip netns exec red ip link

# Or shorter command
ip -n red link

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

You will also see different result for command like route, arp,…

Create a virtual Ethernet cable between net namespaces

In Linux net namespace, this cable is a veth ip link.

ip link add veth-red type veth peer name veth-blue

When first created, both sides of the veth link aren’t associated to any namespaces yet. Inspecting host , we can see 2 new links:

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:15:5d:85:bc:44 brd ff:ff:ff:ff:ff:ff
3: veth-blue@veth-red: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 1e:a3:93:a9:49:ed brd ff:ff:ff:ff:ff:ff
4: veth-red@veth-blue: <BROADCAST,MULTICAST,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 36:fb:ef:e5:8c:b8 brd ff:ff:ff:ff:ff:ff

Link 2 net namespaces

Set the link to red namespace:

ip link set veth-red netns red

Now 1 of the 2 new links is allocated to red namespace

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4: veth-red@if3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 36:fb:ef:e5:8c:b8 brd ff:ff:ff:ff:ff:ff link-netnsid 0

Notice the link is currently DOWN as it has no IP address associated

Also set the link to blue namespace:

ip link set veth-blue netns blue

Assign IPs for 2 peers

To bring up the link, both peers need to have their own IP addresses:

ip -n red addr add 192.168.15.1 dev veth-red
ip -n blue addr add 192.168.15.2 dev veth-blue

Now bring up the link:

ip -n red link set veth-red up
ip -n blue link set veth-blue up

Ping the peer!!!

Congrats! You made it to the end of the tutorial. 2 net namespaces are now setup successfully. Test it with ping:

ip netns exec red ping 192.168.15.2

Success output looks like this:

PING 192.168.15.2 (192.168.15.2) 56(84) bytes of data.
64 bytes from 192.168.15.2: icmp_seq=1 ttl=64 time=0.034 ms
64 bytes from 192.168.15.2: icmp_seq=2 ttl=64 time=0.056 ms
64 bytes from 192.168.15.2: icmp_seq=3 ttl=64 time=0.056 ms

Troubleshooting

If ping doesn’t work, have a look at below known issues:

Loopback is DOWN

ip -n red link

If its state is actually DOWN:

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

Bring LOOPBACK up:

ip -n red link set lo up

State UNKNOWN doesn’t mean it is broken

No route detected

ip -n red route

If output is empty, we can add a default route:

ip -n red route add default via 192.168.15.1

And blue namespace also.

References

• KodeKloud Network Namespaces Basics Explained in 15 Minutes
• RedHat Building containers by hand using namespaces: The net namespace