Namespaces
Managing network namespaces using the ip command is the prefered way. It is helpful to understand, what’s going on in the (kernel) background.
If you create two network namespaces using
ip netns add ns1 ip netns add ns2
you find to entries in the directory /var/run/netns/
ls -la /var/run/netns/ total 0 drwxr-xr-x 2 root root 80 Sep 19 22:18 . drwxr-xr-x 39 root root 1500 Sep 19 22:18 .. -r--r--r-- 1 root root 0 Sep 19 22:18 ns1 -r--r--r-- 1 root root 0 Sep 19 22:18 ns2
Each process has an unique inode assigned. This inode makes it possible to check, if two processes belongs to a name namespace. Look in /proc/self/ns/ to the entry net:
root:~# ls -la /proc/self/ns/ ... lrwxrwxrwx 1 root root 0 Sep 19 22:36 net -> net:[4026531956] ... root:~# ip netns exec ns1 ls -la /proc/self/ns/ ... lrwxrwxrwx 1 root root 0 Sep 19 22:37 net -> net:[4026532399] ... root:~# ip netns exec ns2 ls -la /proc/self/ns/ ... lrwxrwxrwx 1 root root 0 Sep 19 22:41 net -> net:[4026532485] ...
The shell process, which we are using and the namespaces ns1 and ns2 have different net:[] inodes assigned. These inodes are the inodes of the entries in /var/run/netns/ . If this is the default network namespace you will not see an entry.
Network namespaces might also be assigned to PIDs.
Newer versions if ip have the commands ip netns identify PID (This command walks through /var/run/netns and finds all the network namespace names for network namespace of the specified process) and ip netns pids NAME (This command walks through proc and finds all of the process who have the named network namespace as their primary network namespace).
A cat /proc/self/mounts shows the total number of network namespaces in the system:
cat /proc/self/mounts ... many lines cut ... proc net:[4026532399] proc rw,nosuid,nodev,noexec,relatime 0 0 proc net:[4026532485] proc rw,nosuid,nodev,noexec,relatime 0 0 The two lines above show that there are two network namespaces active in the system
If you exectute the same command in a network namespace using ip netns exec ns1 cat /proc/self/mounts you get:
ip netns exec ns1 cat /proc/self/mounts ... many lines cut ... proc net:[4026532399] proc rw,nosuid,nodev,noexec,relatime 0 0 proc net:[4026532485] proc rw,nosuid,nodev,noexec,relatime 0 0 ... ns1 /sys sysfs rw,relatime 0 0 the last line shows the network namespace of the current process
Interfaces
If you create a veth pair and assign one side to ns1 and the other sinde to ns2 using the commands
ip link add veth-a type veth peer name veth-b ip link set veth-a netns ns1 ip link set veth-b netns ns2
Interfaces may also be assigned to a process:
# create a veth pair # assign the other side to PID 1234 # ip link add veth-e type veth peer name veth-f netns 1234
This attaches the interface veth-f not only to PID 1234, it attaches the interface to the network namespace to which the process 1234 is belonging to. The network namespace survives, even if the process terminates.
How do you find the namespaces to which the interface are belonging to?
How do you find all interfaces in your system and the mapping to network namespaces/pids?