A top-to-bottom look at Linux network namespaces, their uses and the Docker and OpenStack use cases.

1. Linux Network Namespaces
(and how they are used in Docker vs OpenStack)

2. VRF? (kinda)
Virtual routing and forwarding (VRF) is a
technology included in IP (Internet Protocol)
network routers that allows multiple instances
of a routing table to exist in a router and work
simultaneously. This increases functionality by
allowing network paths to be segmented
without using multiple devices.

3. Namespace = VRF++
Each Linux namespace has its own set of:
/proc/net
connection tracking
netfilter tables and chains (iptables, ebtables,
arptables, …)
myriad settings: buffers, window sizing, congestion
tuning, omg, yes, yes, yes!
network devices
routing table

4. Why?
The purpose of the patch series that includes
network namespaces is primarily to enable
containers. Which just like VMs provide:
Isolation
Resource allocation
Lightweight++, security-- (when compared to
kvm)

5. Small example in C
Full(er) version at : https://github.com/geekinutah/create_net_namespace
// Declarations above skipped
static char child_stack[1048576];
int use_clone()
{
printf("Welcome to your new network namespace!n");
printf("Here's the new output of 'ip link show'n");
system("/sbin/ip link show");
printf("nn");
system("/bin/bash");
printf("Back to the old namespace.n");
}
int main (int argc, char **argv)
{
// Lots of code skipped here
pid_t child_pid = clone(use_clone, child_stack+1048576, CLONE_NEWPID | CLONE_NEWNET | SIGCHLD, NULL);
waitpid(child_pid, NULL, 0);
return 0;
}

6. Using iproute2
# ip netns create testing && echo “We have a new namespace.”
We have a new namespace
# ls -l /var/run/netns/testing
-r--r--r--. 1 root root 0 Aug 27 15:33 /var/run/netns/testing
# ip netns exec testing ip link show
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
# ip netns delete testing
# ls -l /var/run/netns/
total 0

7. Where is my net namespace
#!/bin/bash
PID=`pgrep ${@}` # Arg should produce one match
NS=`ls -1 /proc/${PID}/ns/net`
print “${NS} is the file you are looking for”
# What now, symlink $NS to /var/run/netns/a_random_name?
# We could also use nsenter?

8. Docker default mode

9. Docker “shared” networking

10. Docker “none” mode

11. And also...
Overlays!!!
(Clouds love them)

12. OpenStack networking
Lots of choices:
Open vSwitch
Linuxbridge
Commercial (several)
Most people use Open vSwitch
Free
Featureful

13. Neutron + Open vSwitch
Overlays (GRE, VXLAN)
Provider networks
External/Floating networks
Isolation
Programmable via API
Decent performance and stability
Good job Neutron developers!!!

14. OpenStack part 1
In OpenStack network namespaces are really
used to provide just one thing:
Overlapping IP space

15. OpenStack part2
Two different neutron agents make use of
namespaces:
neutron-l3-agent
neutron-dhcp-agent

16. eth1
Namespace BNamespace A
n Router Namespaces
eth0
OpenStack part3
br-ex
br-int
qg
qrqrqg qg
dnsmasq A dnsmasq B
Vlan tag 1 Vlan tag 2
This is simplified for space, if you look at
a network node it will look a bit different.

17. Thank you!
Questions?

18. Appendix
https://www.openstack.org/assets/presentation-
media/HK-Openstack-Namespaces1-.pdf
https://docs.docker.com/articles/networking/
https://github.com/geekinutah/create_net_namespace
https://lwn.net/Articles/531114/