Linux Network Namespace
Introduction
I thought I would write it for the output of knowledge.
One of the elements that make up container-type virtualization technology such as Docker is Network Namespace
You can create a virtual computer that is network-independent of the system simply by requiring command line operations.
Start Ubuntu 18.04 LTS. Enter the following command in the terminal. This is a command to install the packages needed for subsequent work. This will allow you to install the required packages.
Terminal
$ sudo apt-get update
$ sudo apt-get -y install
What is TCP / IP?
TCP(Transmission Control Protocol) IP(Internet Protocol)
The name of the protocol you use on a daily basis.
―― "The shipping company delivers the customer's luggage to the destination" -"Shipping company => Flow of reaching customers"
In the computer world as in the real world There is a mechanism to ensure that the package (data) arrives properly by the time it is delivered.
What is an IP address?
With a protocol called the Internet Protocol A type of identifier needed to communicate, like an address on the Internet
What is a network interface?
LAN cable, network interface card (NIC) or wireless LAN adapter Represents. However, it is an abstract concept when dealing with them from software.
What is IPv4 / IPV6?
IPv4 / 6 (Internet Protocol version 4 / 6 )
The world we are in now. __2 There are now two internets completely separate __ Since IPv4 / IPv6 are used as protocols, they are not compatible.
--IPv4 address for IPv4
--For IPv6, you need to use an IPv6 address
IPv4 is 32bit (4bite), while IPv6 is 128bit (16byte) As the number of new ones that can be used is decreasing with the spread, migration to IPv6 is being attempted.
(Supplement)
Has an IP address and is connected to the network
Computers that are not routers are called hosts
Connected to an indistinguishable network such as a host or router
The name of the computer is Node
operation
$ ip address show
Terminal
$ ip address show
1: lo:<LOOPBACK,UP,LOWER_UP> mtu XXXXX qdisc noqueue state UNKNOWN group default qlen XXXX
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 000.X.X.X/X scope host lo
valid_lft forever preferred_lft forever
inet6 ::X/XXX scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu XXXX qdisc fq_codel state UP group default qlen XXXX
link/ether XX:XX:Xx:XX:XX:XX brd ff:ff:ff:ff:ff:ff
inet 00.X.X.XX/XX brd XX.X.X.XXX scope global dynamic eth0
valid_lft XXXXXsec preferred_lft XXXXXsec
inet6 xxXX::XXX:Xxxx:xxXX:XXXX/XX scope link
valid_lft forever preferred_lft forever
The part after the display of inet is the IP address of the computer.
lo and eth0 are network interfaces
eth0 is the IP address corresponding to the sender
IP addresses are given to network interfaces as needed, that is
--The network interface lo has the IP address 000.X.X.X
--The network interface eth0 is given the IP address 00.X.X.XX.
Loopback address
The IP address 000.X.X.X of lo is a special address called loopback address.
Represents your own address
Convenient to use when you want to communicate only with yourself, such as checking the operation
Try it ($ ping -c 3 <your loopback address>)
You can see that the result is returned as if you hit the command
$ sudo tcpdump
Terminal
$ sudo tcpdump -tn -I any icmp
Tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
Listening on any, link-type LINUX_SLL (Linix cooked), capture size XXXXXX bytes
IP XX.X.X.XX > 8.8.8.8 : ICMP echo request, id XXXX, seq 1, lenght 64
IP 8.8.8.8 > XX.X.X.XX : ICMP echo reply, id XXXX, seq 1, lenght 64
IP XX.X.X.XX > 8.8.8.8 : ICMP echo request, id XXXX, seq 2, lenght 64
IP 8.8.8.8 > XX.X.X.XX : ICMP echo reply, id XXXX, seq 2, lenght 64
IP XX.X.X.XX > 8.8.8.8 : ICMP echo request, id XXXX, seq 3, lenght 64
IP 8.8.8.8 > XX.X.X.XX : ICMP echo reply, id XXXX, seq 3, lenght 64
A command that allows you to peep into the communication flowing through your computer
__ Packet capture __, __ Sniffing __
After typing $ ping, if you look at the terminal on the $ sudo tcpdump side
You can see that there were 3 exchanges request reply
$ traceroute
Terminal
$ traceroute -n 8.8.8.8
Trace route to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 XX.X.X.X 0.568ms 0.562ms 1.044ms
2 XXX.XX.X.X 4.495ms 4.499ms 4.703ms
3 XX.X.X.XX 11.304ms 11.319ms 11.305ms
4 XX.X.X.XX 12.111ms 11.811ms 12.097ms
……
A command to check the route that a packet takes to reach its destination
The route to pass is the Route to pass.
This command is often used to troubleshoot networks
Route Network equipment The IP address displayed on each line is the packet passed IP address of the router
There are many routers on the Internet to send packets You can see that it is made up of bucket relays
What is a routing table?
In the TCP / IP world, the next party to which a packet should be passed is managed by the concept of routing table.
You can check the routing table with a command
$ ip route show
Terminal
$ ip route show
Default via XX.X.X.X dev eth0 proto dhcp src XX.X.X.XX metric XXX
XX.X.X.X/XX dev eth0 proto kernel scope link src XX.X.X.XX
XX.X.X.X dev eth0 proto dhcp scope link src XX.X.X.XX metric XXX
First, the routing table consists of multiple routing entries
Each row is a routing entry
The destination IP address is written at the beginning of each routing entry
Destination default is a special destination and is used when none of the others correspond to the destination
XX.X.X.X / XX on the 3rd line is a representation method that summarizes multiple IP addresses In this way, the routing table uses the destination IP address. Not necessarily written one by one
$ ping
Terminal
$ ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56 (84) bytesofdata.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=63 time=9.06 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=63 time=8.88 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=63 time=10.3 ms
8.8.8.8 pingstatistics
3 packets transmitted, 3 received, 0% packet loss, time 2004ms
rtt min/avg/max/mdev = 8.883/9.445/10.386/0.678ms
Used to check __communication __ on the TPC / IP network.
I have sent three messages requesting a response with the option -c 3. Therefore, three replies will be returned.
”3 packets transmitted, 3 received, 0%” You can see that the response to the request you made has arrived safely.
Network Namespace of the main subject
Network Namespace is one of the elements that make up container-type virtualization technologies such as Docker.
Terminal
$ sudo ip netns add helloworld
$ ip netns list
hello world
$ ip netns add
You can create a new Namespace
$ ip netns list
Can be confirmed like ls
$ sudo ip netns exec [Namaspace name]
Can be executed with this command
Terminal
$ sudo ip netns add ns1
$ sudo ip netns add ns2
I knew how to make it, so I made two
You have now created a network of ns1 and ns2, but they are still independent of each other.
To connect the two, a virtual "veth" (Virtual Ethernet Device)
Use the network interface, use the $ ip link add subcommand to create a veth
Terminal
$ sudo ip link add ns1-veth0 type peer name ns2-veth0
$ip link add
Network interface creation command
This created the veth network interface ns1-veth0 and ns2-veth0 are the names of the network interfaces to create
Terminal
$ ip link show | grep veth
3 : ns2-veth0@ns1-veth0 : <BROADCAST, MULTICAST, M-DOWN> mtu XXXX qdisc noop
state DOWN mode DEFAULT group default qlen XXXX
4 : ns1-veth0@ns2-veth0 : <BROADCAST, MULTICAST, M-DOWN> mtu XXXX qdisc noop
state DOWN mode DEFAULT group default qlen XXXX
Use the grep command to narrow down and check only those that contain the character string veth.
In the real world, two network interfaces connected by a LAN cable have been created.
However, since this is still created and belongs to the system area
Make it available in Network Namespace
Terminal
$ sudo ip link set ns1-veth0 netns ns1
$ sudo ip link set ns2-veth0 netns ns2
Specify netns and Namespace name after the name of the network interface you want to set
It looks like this However, at this stage, it is almost the same as connecting PCs with a cable. Communication is not possible unless settings are made like a real PC
An IP address is required when communicating using IP
So you have to give the veth interface an IP address
Terminal
$ sudo ip netns exec ns1 ip address add XXX.X.X.1/XX dev ns1-veth0
$ sudo ip netns exec ns2 ip address add XXX.X.X.2/XX dev ns1-veth0
$ ip address add
To set the IP address $ ip address add
IP address XXX.X.X.1 for ns1-veth0
ns2-veth0 is given the IP address XXX.X.X2
In addition, there are two concepts, UP and DOWN.
The initial state is DOWN, so set it to UP when using it.
Terminal
$ sudo ip netns exec ns1 ip link set ns1-veth0 up
$ sudo ip netns exec ns2 ip link set ns2-veth0 up
Check if connected
Terminal
$ sudo ip netns exec ns1 ping -c 3 XXX.X.X.2
It looks like this
At the end
Although it is in the same network, I understood the relationship of connecting with the veth interface for the time being. Since it will be more complicated, I will write Qiita in stages.
Recommended Posts