Key Takeaway

<aside> 💡

In this article, we will learn about the purpose of Linux Network Namespaces and how to enable communication between isolated Network Namespaces using Virtual Ethernet (VETH) pairs.

Finally, a simple hands-on experiment will guide you step by step to achieve the results described above.

</aside>

Introduction of Linux Namespace

Linux namespaces are a core component of containerization technology. They provide resource isolation between processes and are widely used in containerization, virtualization, and security scenarios. By dividing system resources into separate namespaces, processes are restricted to accessing only the resources within their own namespace, preventing direct interference with resources in other namespaces. The following are the current types of namespaces:

• Network Namespace
  • Isolates network resources, including network interfaces, routing tables, firewall rules, etc.
  • Use case: Each container can have its own networking environment, such as a unique IP address and ports.
  • Example: Containers can run independent web servers bound to the same port (e.g., 80) without conflict.
• UTS Namespace (UNIX Timesharing System)
  • Isolates hostname and NIS domain name.
  • Use case: Containers can have their own hostnames, separate from the host or other containers.
  • Example: The hostname command inside a container returns a unique hostname.
• User Namespace
  • Isolates user and group ID mappings. It allows processes to run as root within a namespace while being mapped to an unprivileged user on the host.
  • Use case: Enhances container security by preventing root privileges inside the container from affecting the host.
  • Example: UID 0 (root) inside the container may be mapped to a non-root UID on the host.
• IPC Namespace (Inter-Process Communication)
  • Isolates IPC resources such as message queues, shared memory, and semaphores.
  • Use case: Ensures that IPC resources used within a container do not interfere with the host or other containers.
• Cgroup Namespace
  • Isolates the view of control groups (cgroups), so that processes only see the cgroups within their namespace.
  • Use case: Restricts access to cgroup structures inside containers, improving resource management and isolation.
• Time Namespace
  • Isolates system time and monotonic time.
  • Use case: Allows processes in containers to perceive different time settings (a newer feature introduced in Linux 5.6).

Network Namespace

A Network Namespace isolates the following network-related resources:

• Network Interfaces: Such as eth0, lo (loopback interface). Each namespace can have its own set of network interfaces.
• IP Address: Each namespace can be assigned a unique IP address, supporting both IPv4 and IPv6.
• Routing Table: Each namespace has its own routing rules that determine how packets are forwarded.
• Firewall Rules (iptables/netfilter): Each namespace can define its own firewall policies independently.
• Protocol Stack: Separate instances of network protocols like TCP, UDP, etc.
• Port Space: Each namespace has an independent port range, allowing the reuse of the same port numbers (e.g., multiple containers binding to port 80 without conflict).