https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&feedformat=atom&user=AmelentyevAlpine Linux - User contributions [en]2026-05-02T00:52:35ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Netns&diff=26937Netns2024-07-21T19:32:02Z<p>Amelentyev: Fix a syntax error in the config example</p>
<hr />
<div>{{DISPLAYTITLE:netns}}<br />
<br />
'''netns''' (network namespaces) are another instance of the network stack with its own network devices (links), ip setup and firewall rules. Besides of using netns for building containers they can be used to get a stricter isolation than using [[VRF]]s.<br />
<br />
== Prerequisites ==<br />
<br />
The packages and patches described in this article are available in Alpine edge and ≥3.19.<br />
<br />
== netns management ==<br />
<br />
=== iproute2 ===<br />
<br />
Netns can be ad-hoc managed using the <code>ip netns</code> commands.<br />
<br />
{{cmd|<nowiki># ip netns<br />
# ip netns add tenant1<br />
# ip netns del tenant1<br />
# ip netns exec tenant1 ip -br link<br />
</nowiki>}}<br />
<br />
=== ifstate ===<br />
<br />
[https://ifstate.net IfState], a declarative network configuration tool, is full netns aware since IfState 1.9.0. The following config example creates a wireguard tunnel and a vlan sub-interface. The wireguard link <code>wg0</code> and the vlan sub-interface are moved into the <code>vpn</code> netns.<br />
<br />
{{cat|/etc/ifstate/config.yml|<nowiki># root netns<br />
interfaces:<br />
- name: eth0<br />
addresses:<br />
- 198.51.100.2/31<br />
link:<br />
state: up<br />
kind: physical<br />
routing:<br />
routes:<br />
- to: 0.0.0.0/0<br />
via: 198.51.100.1<br />
rules: []<br />
<br />
namespaces:<br />
# "vpn" netns<br />
vpn:<br />
interfaces:<br />
- name: eth0.42<br />
addresses:<br />
- 192.0.2.1/25<br />
link:<br />
state: up<br />
kind: vlan<br />
vlan_id: 42<br />
link: eth0<br />
# link to eth0 in root netns<br />
link_netns: null<br />
- name: wg0<br />
addresses:<br />
- 192.0.2.254/30<br />
link:<br />
state: up<br />
kind: wireguard<br />
# bind wireguard to the root netns<br />
bind_netns: null<br />
wireguard:<br />
private_key: !include /etc/wireguard/secret.key<br />
peers:<br />
- public_key: 3Eimby+9YtJwtx+peCsz6RiubRqAp+cATHNiGWsUsEU=<br />
endpoint: 203.0.113.42<br />
persistent_keepalive_interval: 30<br />
allowedips:<br />
- 0.0.0.0/0<br />
routing:<br />
routes:<br />
- to: 0.0.0.0/0<br />
dev: wg0<br />
rules: []<br />
</nowiki>}}<br />
<br />
== netns-based Service Isolation ==<br />
<br />
Services can be run isolated in a netns ('''and''' [[VRF]] inside the netns) when running at least OpenRC 0.49.0-r1. You can set the <code>$netns</code> variable for the service in {{path|/etc/conf.d}} in most cases.<br />
<br />
''The netns must already be created before a service can be started inside of it!''<br />
<br />
== netns-compatible initd scripts ==<br />
<br />
Not all initd scripts might be netns compatible. Some network stack related packages have been patched to be netns aware:<br />
<br />
* ipset<br />
* iptables<br />
* nftables<br />
<br />
[[Category:Networking]]</div>Amelentyev