http://lxc.sourceforge.net/network/configuration.php
Linux Containers - Network Namespace configuration
Introduction
It is recommended that you read the network
namespace description before.
This short howto describes how to set up a network namespace testbed.
The setup is simple:
- Two hosts A and B
- Host A has a custom kernel with the network namespace support
compiled in
- Host B has no particular requirements
All the actions described below take place on Host A.
Installation
Introduction of network namespaces in mainline started in release
2.6.24
and is still an ongoing work (April 2008). Kernel 2.6.26 will contain
support for IPv4 and IPv6. Before kernel 2.6.26 is available, network
namespaces can be tested using Dave Miller's development tree 'net-2.6'
or Andrew Morton's 2.6.25-mm1.
- Get the net-2.6 git tree:
- Configure the kernel: enable the following configuration options:
-
Activate namespaces support (CONFIG_NAMESPACES=y):
-> General setup
-> Namespaces support [Y]
-
Until sysfs support for network namespace is merged,
Deactivate sysfs (CONFIG_SYSFS=n) (two steps required):
CONFIG_EMBEDDED=y
-> General setup
-> Configure standard kernel features (for small systems) [Y]
CONFIG_SYSFS=n
-> File systems
-> Pseudo filesystems
-> sysfs file system support [N]
Note: This document doesn't explain how to boot a
distro with sysfs disabled. This is left as an exercise for the reader.
-
Activate the network namespaces (CONFIG_NET_NS=y):
-> Networking
-> Networking support [Y]
-> Networking options
-> Network namespace support [Y]
-
Add the virtual ethernet pair device (CONFIG_VETH=y):
-> Device Drivers
-> Network device support
-> Network device support [Y]
-> Virtual ethernet pair device [Y]
-
Add the mac-vlan device (CONFIG_MACVLAN=y)(optional):
-> Device Drivers
-> Network device support
-> Network device support [Y]
-> MAC-VLAN support (EXPERIMENTAL) [Y]
- Build, install and reboot.
Step-by-step configuration
This section describes two different methods to configure a new network
namespace.
The figure below shows the network setup and the IP addresses
associated with each device.
Host A Host B
_______________________ ___________
| | | |
| ________ ________ | | |
| | Cont 1 | | Cont N | | | |
| | | | | | | |
| | veth1 | | vethN | | | |
| |___|____| |___|____| | | |
| | | | | |
| veth0 vethN-1 | | |
|_____|__________|______| |___________|
| |
| eth0 (192.168.0.1) | eth0 (192.168.0.2)
| |
-------------------------------------------------------
Container 1:
* veth0: 192.168.0.101
* veth1: 192.168.0.102
Two additional tools are needed to configure the network namespaces:
- An up-to-date version of iproute2
with the patch for the netns command applied.
This patch can be found here:
- A copy of the ns_exec program to unshare the network
namespaces:
Method 1: Using routes
This first method uses L3 routing to forward packets from inside the
container to the outside world.
On host A, you will need two command shells.
At the end of the configuration, shell 1 will run in the initial
network
namespace and shell 2 in the new network namespace. Unless noted
otherwise, all the commands below have to be executed in shell 1.
- Enable IP forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
- Enable ARP proxy on the physical interface eth0:
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
- Create an veth ethernet device pair:
ip link add type veth
Note: This will create two network interfaces called veth0 and veth1.
You can also specify the names of the interfaces to create by passing
two 'name' arguments to the ip command:
ip link add name FOO type veth peer name BAR
- Assign an IP address to veth0 and activate it:
ifconfig veth0 192.168.0.101/24 up
Note: veth0 will become ready only when veth1 becomes ready
too.
- Add a route to veth1 IP address via veth0:
route add -host 192.168.0.102 dev veth0
Note: Address 192.168.0.102 will be assigned to veth1 later.
- Enable ARP proxy on the interface veth0:
echo 1 > /proc/sys/net/ipv4/conf/veth0/proxy_arp
- In shell 2, unshare network namespace:
ns_exec -nm -- /bin/bash
Note: ifconfig command output shows that only the loopback
device is
present in this new namespace.
- (optional) In shell 2, re-mount sysfs in the new namespace
mount -t sysfs none /sys
Note: Execute this step only if the patchset that introduces sysfs
tagged directories is present in the kernel.
- In shell 1, move veth1 to the new network namespace:
ip link set veth1 netns $PID_OF_SHELL_2
Note: In shell 2, ifconfig command output now shows that veth1
is present in the
new namespace.
- In shell 2, assign an IP address to veth1 and activate it:
ifconfig veth1 192.168.0.102/24 up
- In shell 2, activate the loopback
ifconfig lo up
- Network is now configured in the new namespace (shell 2). You
should
now be able to communicate with Host B.
ping 192.168.0.2
ssh 192.168.0.2
...
Cleanup
To clean your system up after the test, here are the steps:
- Exit the new network namespace: exit shell B.
Note: ifconfig shows veth1 moved back to the initial namespace.
- Delete the veth pair:
ip link delete veth0
- Disable ip forwarding:
echo 0 > /proc/sys/net/ipv4/ip_forward
- Disable ARP proxy on eth0:
echo 0 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
Method 2: Using ethernet bridges
This second method uses ethernet bridges instead of IP routing to
forward packets from inside the container to the outside world.
On host A, you will need two command shells. At the end of the
configuration, shell 1 will run in the initial network namespace and
shell 2 in the new network namespace. Unless specified, all the
commands
below have to be executed in shell 1.
- Create a veth device pair:
ip link add type veth
Note: This will create two network interfaces called veth0 and veth1.
You can also specify the names of the interfaces to create by passing
two 'name' arguments to the ip command:
ip link add name FOO type veth peer name BAR
- Activate veth0:
ifconfig veth0 up
- Create an ethernet bridge br0:
brctl addbr br0
- Assign eth0 IP address to br0 and activate it:
ifconfig br0 192.168.0.1/24 up
- Add the physical interface eth0 to the bridge:
brctl addif br0 eth0
Note: network traffic on eth0 can "hang" for a few seconds
after this
command.
- Remove IP address from eth0:
ifconfig eth0 0.0.0.0
- Add the virtual interface veth0 to the bridge:
brctl addif br0 veth0
- Check your bridge settings:
brctl show
- In shell 2, unshare network namespace
ns_exec -nm -- /bin/bash
- (optional) In shell 2, re-mount sysfs in the new namespace
mount -t sysfs none /sys
Note: Execute this step only if the patchset that introduces sysfs
tagged directories is present in the kernel.
- In shell 1, move veth1 to the new network namespace:
ip link set veth1 netns PID_OF_SHELL_2
- In shell 2, assign an IP address to veth1 and activate it:
ifconfig veth1 192.168.0.102/24 up
- In shell 2, activate the loopback
ifconfig lo up
- Network is configured in the new namespace (shell 2). You should
now
be able to communicate with host B.
- Create a second veth pair (eg. veth2/veth3) and a second network
namespace. Add veth2 to the bridge and move veth3 to the new network
namespace (follow the same steps as the first pair). You should now be
able to communicate between the two network namespaces created.
Cleanup
To clean your system up after the test, here are the steps:
- Exit the new network namespace: exit shell B
- Delete the veth pair:
ip link delete veth0
- Deactivate and delete the ethernet bridge:
ifconfig brctl down
brctl delbr br0
- Reassign its IP address to eth0:
ifconfig eth0 192.168.0.1/24
